Merge pull request 'per-bucket keys' (#68) from feat-per-bucket-key into main

Reviewed-on: #68

.drone.yml

@@ -1,13 +0,0 @@
----
-pipeline:
-  build:
-    image: golang:stretch
-    commands:
-      - go get -d -v
-      - go build -v
-
----
-kind: signature
-hmac: 38948cd073f3a0b73ab7bb13ba1b5e18c64c02976abfd6dcd5bf7a4c34197e8c
-
-...

.envrc

@@ -0,0 +1 @@
+use flake

.gitignore

@@ -1,3 +1,6 @@
 guichet
 guichet.static
 config.json
+result
+.direnv/
+password

.woodpecker.yml

@@ -0,0 +1,13 @@
+when:
+  event:
+  - push
+  - pull_request
+  - tag
+  - cron
+  - manual
+
+steps:
+  - name: build
+    image: nixpkgs/nix:nixos-22.05
+    commands:
+      - nix build --extra-experimental-features nix-command --extra-experimental-features flakes .

README.md

@@ -1,6 +1,6 @@
 # Guichet
 
-[![Build Status](https://drone.deuxfleurs.fr/api/badges/Deuxfleurs/guichet/status.svg?ref=refs/heads/main)](https://drone.deuxfleurs.fr/Deuxfleurs/guichet)
+[![status-badge](https://woodpecker.deuxfleurs.fr/api/badges/37/status.svg)](https://woodpecker.deuxfleurs.fr/repos/37)
 
 Guichet is a simple LDAP web interface for the following tasks:
 

admin.go

@@ -2,7 +2,6 @@ package main
 
 import (
 	"fmt"
-	"html/template"
 	"net/http"
 	"regexp"
 	"sort"
@@ -12,18 +11,18 @@ import (
 	"github.com/gorilla/mux"
 )
 
-func checkAdminLogin(w http.ResponseWriter, r *http.Request) *LoginStatus {
+func checkAdminLogin(w http.ResponseWriter, r *http.Request) *LoggedUser {
-	login := checkLogin(w, r)
+	user := RequireUserHtml(w, r)
-	if login == nil {
+	if user == nil {
 		return nil
 	}
 
-	if !login.CanAdmin {
+	if !user.Capabilities.CanAdmin {
 		http.Error(w, "Not authorized to perform administrative operations.", http.StatusUnauthorized)
 		return nil
 	}
 
-	return login
+	return user
 }
 
 type EntryList []*ldap.Entry
@@ -41,17 +40,17 @@ func (d EntryList) Less(i, j int) bool {
 }
 
 type AdminUsersTplData struct {
-	Login        *LoginStatus
+	User         *LoggedUser
 	UserNameAttr string
 	UserBaseDN   string
 	Users        EntryList
 }
 
 func handleAdminUsers(w http.ResponseWriter, r *http.Request) {
-	templateAdminUsers := template.Must(template.ParseFiles("templates/layout.html", "templates/admin_users.html"))
+	templateAdminUsers := getTemplate("admin_users.html")
 
-	login := checkAdminLogin(w, r)
+	user := checkAdminLogin(w, r)
-	if login == nil {
+	if user == nil {
 		return
 	}
 
@@ -62,14 +61,14 @@ func handleAdminUsers(w http.ResponseWriter, r *http.Request) {
 		[]string{config.UserNameAttr, "dn", "displayname", "givenname", "sn", "mail"},
 		nil)
 
-	sr, err := login.conn.Search(searchRequest)
+	sr, err := user.Login.conn.Search(searchRequest)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 
 	data := &AdminUsersTplData{
-		Login:        login,
+		User:         user,
 		UserNameAttr: config.UserNameAttr,
 		UserBaseDN:   config.UserBaseDN,
 		Users:        EntryList(sr.Entries),
@@ -80,17 +79,17 @@ func handleAdminUsers(w http.ResponseWriter, r *http.Request) {
 }
 
 type AdminGroupsTplData struct {
-	Login         *LoginStatus
+	User          *LoggedUser
 	GroupNameAttr string
 	GroupBaseDN   string
 	Groups        EntryList
 }
 
 func handleAdminGroups(w http.ResponseWriter, r *http.Request) {
-	templateAdminGroups := template.Must(template.ParseFiles("templates/layout.html", "templates/admin_groups.html"))
+	templateAdminGroups := getTemplate("admin_groups.html")
 
-	login := checkAdminLogin(w, r)
+	user := checkAdminLogin(w, r)
-	if login == nil {
+	if user == nil {
 		return
 	}
 
@@ -101,14 +100,14 @@ func handleAdminGroups(w http.ResponseWriter, r *http.Request) {
 		[]string{config.GroupNameAttr, "dn", "description"},
 		nil)
 
-	sr, err := login.conn.Search(searchRequest)
+	sr, err := user.Login.conn.Search(searchRequest)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 
 	data := &AdminGroupsTplData{
-		Login:         login,
+		User:          user,
 		GroupNameAttr: config.GroupNameAttr,
 		GroupBaseDN:   config.GroupBaseDN,
 		Groups:        EntryList(sr.Entries),
@@ -118,11 +117,239 @@ func handleAdminGroups(w http.ResponseWriter, r *http.Request) {
 	templateAdminGroups.Execute(w, data)
 }
 
+type AdminMailingTplData struct {
+	User            *LoggedUser
+	MailingNameAttr string
+	MailingBaseDN   string
+	MailingLists    EntryList
+}
+
+func handleAdminMailing(w http.ResponseWriter, r *http.Request) {
+	templateAdminMailing := getTemplate("admin_mailing.html")
+
+	user := checkAdminLogin(w, r)
+	if user == nil {
+		return
+	}
+
+	searchRequest := ldap.NewSearchRequest(
+		config.MailingBaseDN,
+		ldap.ScopeSingleLevel, ldap.NeverDerefAliases, 0, 0, false,
+		fmt.Sprintf("(&(objectClass=groupOfNames))"),
+		[]string{config.MailingNameAttr, "dn", "description"},
+		nil)
+
+	sr, err := user.Login.conn.Search(searchRequest)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	data := &AdminMailingTplData{
+		User:            user,
+		MailingNameAttr: config.MailingNameAttr,
+		MailingBaseDN:   config.MailingBaseDN,
+		MailingLists:    EntryList(sr.Entries),
+	}
+	sort.Sort(data.MailingLists)
+
+	templateAdminMailing.Execute(w, data)
+}
+
+type AdminMailingListTplData struct {
+	User            *LoggedUser
+	MailingNameAttr string
+	MailingBaseDN   string
+
+	MailingList        *ldap.Entry
+	Members            EntryList
+	PossibleNewMembers EntryList
+	AllowGuest         bool
+
+	Error   string
+	Success bool
+}
+
+func handleAdminMailingList(w http.ResponseWriter, r *http.Request) {
+	templateAdminMailingList := getTemplate("admin_mailing_list.html")
+
+	user := checkAdminLogin(w, r)
+	if user == nil {
+		return
+	}
+
+	id := mux.Vars(r)["id"]
+	dn := fmt.Sprintf("%s=%s,%s", config.MailingNameAttr, id, config.MailingBaseDN)
+
+	// handle modifications
+	dError := ""
+	dSuccess := false
+
+	if r.Method == "POST" {
+		r.ParseForm()
+		action := strings.Join(r.Form["action"], "")
+		if action == "add-member" {
+			member := strings.Join(r.Form["member"], "")
+			modify_request := ldap.NewModifyRequest(dn, nil)
+			modify_request.Add("member", []string{member})
+
+			err := user.Login.conn.Modify(modify_request)
+			if err != nil {
+				dError = err.Error()
+			} else {
+				dSuccess = true
+			}
+		} else if action == "add-external" {
+			mail := strings.Join(r.Form["mail"], "")
+			displayname := strings.Join(r.Form["displayname"], "")
+
+			searchRequest := ldap.NewSearchRequest(
+				config.UserBaseDN,
+				ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+				fmt.Sprintf("(&(objectClass=organizationalPerson)(mail=%s))", mail),
+				[]string{"dn", "displayname", "mail"},
+				nil)
+			sr, err := user.Login.conn.Search(searchRequest)
+			if err != nil {
+				dError = err.Error()
+			} else {
+				if len(sr.Entries) == 0 {
+					if config.MailingGuestsBaseDN != "" {
+						guestDn := fmt.Sprintf("%s=%s,%s", config.UserNameAttr, mail, config.MailingGuestsBaseDN)
+						req := ldap.NewAddRequest(guestDn, nil)
+						req.Attribute("objectclass", []string{"inetOrgPerson", "organizationalPerson", "person", "top"})
+						req.Attribute("mail", []string{mail})
+						if displayname != "" {
+							req.Attribute("displayname", []string{displayname})
+						}
+						err := user.Login.conn.Add(req)
+						if err != nil {
+							dError = err.Error()
+						} else {
+							modify_request := ldap.NewModifyRequest(dn, nil)
+							modify_request.Add("member", []string{guestDn})
+
+							err := user.Login.conn.Modify(modify_request)
+							if err != nil {
+								dError = err.Error()
+							} else {
+								dSuccess = true
+							}
+						}
+					} else {
+						dError = "Adding guest users not supported, the user must already have an LDAP account."
+					}
+				} else if len(sr.Entries) == 1 {
+					modify_request := ldap.NewModifyRequest(dn, nil)
+					modify_request.Add("member", []string{sr.Entries[0].DN})
+
+					err := user.Login.conn.Modify(modify_request)
+					if err != nil {
+						dError = err.Error()
+					} else {
+						dSuccess = true
+					}
+				} else {
+					dError = fmt.Sprintf("Multiple users exist with email address %s", mail)
+				}
+			}
+		} else if action == "delete-member" {
+			member := strings.Join(r.Form["member"], "")
+			modify_request := ldap.NewModifyRequest(dn, nil)
+			modify_request.Delete("member", []string{member})
+
+			err := user.Login.conn.Modify(modify_request)
+			if err != nil {
+				dError = err.Error()
+			} else {
+				dSuccess = true
+			}
+		}
+	}
+
+	// Retrieve mailing list
+	searchRequest := ldap.NewSearchRequest(
+		dn,
+		ldap.ScopeBaseObject, ldap.NeverDerefAliases, 0, 0, false,
+		fmt.Sprintf("(objectclass=groupOfNames)"),
+		[]string{"dn", config.MailingNameAttr, "member", "description"},
+		nil)
+
+	sr, err := user.Login.conn.Search(searchRequest)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	if len(sr.Entries) != 1 {
+		http.Error(w, fmt.Sprintf("Object not found: %s", dn), http.StatusNotFound)
+		return
+	}
+
+	ml := sr.Entries[0]
+
+	memberDns := make(map[string]bool)
+	for _, attr := range ml.Attributes {
+		if attr.Name == "member" {
+			for _, v := range attr.Values {
+				memberDns[v] = true
+			}
+		}
+	}
+
+	// Retrieve list of current and possible new members
+	members := []*ldap.Entry{}
+	possibleNewMembers := []*ldap.Entry{}
+
+	searchRequest = ldap.NewSearchRequest(
+		config.UserBaseDN,
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+		fmt.Sprintf("(objectClass=organizationalPerson)"),
+		[]string{"dn", "displayname", "mail"},
+		nil)
+	sr, err = user.Login.conn.Search(searchRequest)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	for _, ent := range sr.Entries {
+		if _, ok := memberDns[ent.DN]; ok {
+			members = append(members, ent)
+		} else {
+			possibleNewMembers = append(possibleNewMembers, ent)
+		}
+	}
+
+	data := &AdminMailingListTplData{
+		User:            user,
+		MailingNameAttr: config.MailingNameAttr,
+		MailingBaseDN:   config.MailingBaseDN,
+
+		MailingList:        ml,
+		Members:            members,
+		PossibleNewMembers: possibleNewMembers,
+		AllowGuest:         config.MailingGuestsBaseDN != "",
+
+		Error:   dError,
+		Success: dSuccess,
+	}
+	sort.Sort(data.Members)
+	sort.Sort(data.PossibleNewMembers)
+
+	templateAdminMailingList.Execute(w, data)
+}
+
+// ===================================================
+// 					   LDAP EXPLORER
+// ===================================================
+
 type AdminLDAPTplData struct {
 	DN string
 
 	Path          []PathItem
-	Children    []Child
+	ChildrenOU    []Child
+	ChildrenOther []Child
 	CanAddChild   bool
 	Props         map[string]*PropValues
 	CanDelete     bool
@@ -165,10 +392,10 @@ type PropValues struct {
 }
 
 func handleAdminLDAP(w http.ResponseWriter, r *http.Request) {
-	templateAdminLDAP := template.Must(template.ParseFiles("templates/layout.html", "templates/admin_ldap.html"))
+	templateAdminLDAP := getTemplate("admin_ldap.html")
 
-	login := checkAdminLogin(w, r)
+	user := checkAdminLogin(w, r)
-	if login == nil {
+	if user == nil {
 		return
 	}
 
@@ -218,7 +445,7 @@ func handleAdminLDAP(w http.ResponseWriter, r *http.Request) {
 				modify_request := ldap.NewModifyRequest(dn, nil)
 				modify_request.Replace(attr, values_filtered)
 
-				err := login.conn.Modify(modify_request)
+				err := user.Login.conn.Modify(modify_request)
 				if err != nil {
 					dError = err.Error()
 				} else {
@@ -239,7 +466,7 @@ func handleAdminLDAP(w http.ResponseWriter, r *http.Request) {
 			modify_request := ldap.NewModifyRequest(dn, nil)
 			modify_request.Add(attr, values_filtered)
 
-			err := login.conn.Modify(modify_request)
+			err := user.Login.conn.Modify(modify_request)
 			if err != nil {
 				dError = err.Error()
 			} else {
@@ -251,7 +478,7 @@ func handleAdminLDAP(w http.ResponseWriter, r *http.Request) {
 			modify_request := ldap.NewModifyRequest(dn, nil)
 			modify_request.Replace(attr, []string{})
 
-			err := login.conn.Modify(modify_request)
+			err := user.Login.conn.Modify(modify_request)
 			if err != nil {
 				dError = err.Error()
 			} else {
@@ -262,7 +489,7 @@ func handleAdminLDAP(w http.ResponseWriter, r *http.Request) {
 			modify_request := ldap.NewModifyRequest(group, nil)
 			modify_request.Delete("member", []string{dn})
 
-			err := login.conn.Modify(modify_request)
+			err := user.Login.conn.Modify(modify_request)
 			if err != nil {
 				dError = err.Error()
 			} else {
@@ -273,7 +500,7 @@ func handleAdminLDAP(w http.ResponseWriter, r *http.Request) {
 			modify_request := ldap.NewModifyRequest(group, nil)
 			modify_request.Add("member", []string{dn})
 
-			err := login.conn.Modify(modify_request)
+			err := user.Login.conn.Modify(modify_request)
 			if err != nil {
 				dError = err.Error()
 			} else {
@@ -284,7 +511,7 @@ func handleAdminLDAP(w http.ResponseWriter, r *http.Request) {
 			modify_request := ldap.NewModifyRequest(dn, nil)
 			modify_request.Delete("member", []string{member})
 
-			err := login.conn.Modify(modify_request)
+			err := user.Login.conn.Modify(modify_request)
 			if err != nil {
 				dError = err.Error()
 			} else {
@@ -292,7 +519,7 @@ func handleAdminLDAP(w http.ResponseWriter, r *http.Request) {
 			}
 		} else if action == "delete-object" {
 			del_request := ldap.NewDelRequest(dn, nil)
-			err := login.conn.Del(del_request)
+			err := user.Login.conn.Del(del_request)
 			if err != nil {
 				dError = err.Error()
 			} else {
@@ -310,7 +537,7 @@ func handleAdminLDAP(w http.ResponseWriter, r *http.Request) {
 		[]string{},
 		nil)
 
-	sr, err := login.conn.Search(searchRequest)
+	sr, err := user.Login.conn.Search(searchRequest)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
@@ -394,7 +621,7 @@ func handleAdminLDAP(w http.ResponseWriter, r *http.Request) {
 			fmt.Sprintf("(objectClass=organizationalPerson)"),
 			[]string{"dn", "displayname", "description"},
 			nil)
-		sr, err = login.conn.Search(searchRequest)
+		sr, err = user.Login.conn.Search(searchRequest)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
@@ -448,7 +675,7 @@ func handleAdminLDAP(w http.ResponseWriter, r *http.Request) {
 			fmt.Sprintf("(objectClass=groupOfNames)"),
 			[]string{"dn", "description"},
 			nil)
-		sr, err = login.conn.Search(searchRequest)
+		sr, err = user.Login.conn.Search(searchRequest)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
@@ -492,7 +719,7 @@ func handleAdminLDAP(w http.ResponseWriter, r *http.Request) {
 		[]string{"dn", "displayname", "description"},
 		nil)
 
-	sr, err = login.conn.Search(searchRequest)
+	sr, err = user.Login.conn.Search(searchRequest)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
@@ -500,17 +727,23 @@ func handleAdminLDAP(w http.ResponseWriter, r *http.Request) {
 
 	sort.Sort(EntryList(sr.Entries))
 
-	children := []Child{}
+	childrenOU := []Child{}
+	childrenOther := []Child{}
 	for _, item := range sr.Entries {
 		name := item.GetAttributeValue("displayname")
 		if name == "" {
 			name = item.GetAttributeValue("description")
 		}
-		children = append(children, Child{
+		child := Child{
 			DN:         item.DN,
 			Identifier: strings.Split(item.DN, ",")[0],
 			Name:       name,
-		})
+		}
+		if strings.HasPrefix(item.DN, "ou=") {
+			childrenOU = append(childrenOU, child)
+		} else {
+			childrenOther = append(childrenOther, child)
+		}
 	}
 
 	// Run template, finally!
@@ -518,10 +751,11 @@ func handleAdminLDAP(w http.ResponseWriter, r *http.Request) {
 		DN: dn,
 
 		Path:          path,
-		Children:    children,
+		ChildrenOU:    childrenOU,
+		ChildrenOther: childrenOther,
 		Props:         props,
 		CanAddChild:   dn_last_attr == "ou" || isOrganization,
-		CanDelete:   dn != config.BaseDN && len(children) == 0,
+		CanDelete:     dn != config.BaseDN && len(childrenOU) == 0 && len(childrenOther) == 0,
 
 		HasMembers:         len(members) > 0 || hasMembers,
 		Members:            members,
@@ -551,10 +785,10 @@ type CreateData struct {
 }
 
 func handleAdminCreate(w http.ResponseWriter, r *http.Request) {
-	templateAdminCreate := template.Must(template.ParseFiles("templates/layout.html", "templates/admin_create.html"))
+	templateAdminCreate := getTemplate("admin_create.html")
 
-	login := checkAdminLogin(w, r)
+	user := checkAdminLogin(w, r)
-	if login == nil {
+	if user == nil {
 		return
 	}
 
@@ -569,7 +803,7 @@ func handleAdminCreate(w http.ResponseWriter, r *http.Request) {
 		[]string{},
 		nil)
 
-	sr, err := login.conn.Search(searchRequest)
+	sr, err := user.Login.conn.Search(searchRequest)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
@@ -607,7 +841,7 @@ func handleAdminCreate(w http.ResponseWriter, r *http.Request) {
 		data.IdType = config.UserNameAttr
 		data.StructuralObjectClass = "inetOrgPerson"
 		data.ObjectClass = "inetOrgPerson\norganizationalPerson\nperson\ntop"
-	} else if template == "group" {
+	} else if template == "group" || template == "ml" {
 		data.IdType = config.UserNameAttr
 		data.StructuralObjectClass = "groupOfNames"
 		data.ObjectClass = "groupOfNames\ntop"
@@ -646,8 +880,6 @@ func handleAdminCreate(w http.ResponseWriter, r *http.Request) {
 			data.Error = "Invalid identifier type"
 		} else if len(data.IdValue) == 0 {
 			data.Error = "No identifier specified"
-		} else if match, err := regexp.MatchString("^[\\d\\w_-]+$", data.IdValue); err != nil || !match {
-			data.Error = "Invalid identifier"
 		} else {
 			dn := data.IdType + "=" + data.IdValue + "," + super_dn
 			req := ldap.NewAddRequest(dn, nil)
@@ -662,13 +894,16 @@ func handleAdminCreate(w http.ResponseWriter, r *http.Request) {
 				req.Attribute("description", []string{data.Description})
 			}
 
-			err := login.conn.Add(req)
+			err := user.Login.conn.Add(req)
 			if err != nil {
 				data.Error = err.Error()
+			} else {
+				if template == "ml" {
+					http.Redirect(w, r, "/admin/mailing/"+data.IdValue, http.StatusFound)
 				} else {
 					http.Redirect(w, r, "/admin/ldap/"+dn, http.StatusFound)
 				}
-
+			}
 		}
 	}
 

api.go

@@ -0,0 +1,127 @@
+package main
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"github.com/gorilla/mux"
+	"net/http"
+)
+
+func handleAPIWebsiteList(w http.ResponseWriter, r *http.Request) {
+	user := RequireUserApi(w, r)
+
+	if user == nil {
+		return
+	}
+
+	ctrl, err := NewWebsiteController(user)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	if r.Method == http.MethodGet {
+		describe, err := ctrl.Describe()
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+		}
+
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(describe)
+		return
+	}
+
+	http.Error(w, "This method is not implemented for this endpoint", http.StatusNotImplemented)
+	return
+}
+
+func handleAPIWebsiteInspect(w http.ResponseWriter, r *http.Request) {
+	user := RequireUserApi(w, r)
+
+	if user == nil {
+		return
+	}
+
+	bucketName := mux.Vars(r)["bucket"]
+	ctrl, err := NewWebsiteController(user)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	if r.Method == http.MethodGet {
+		view, err := ctrl.Inspect(bucketName)
+		if errors.Is(err, ErrWebsiteNotFound) {
+			http.Error(w, err.Error(), http.StatusNotFound)
+			return
+		} else if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(view)
+		return
+	}
+
+	if r.Method == http.MethodPost {
+		view, err := ctrl.Create(bucketName)
+		if errors.Is(err, ErrEmptyBucketName) {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		} else if errors.Is(err, ErrWebsiteQuotaReached) {
+			http.Error(w, err.Error(), http.StatusForbidden)
+			return
+		} else if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		w.WriteHeader(http.StatusCreated)
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(view)
+		return
+	}
+
+	if r.Method == http.MethodPatch {
+		var patch WebsitePatch
+		err := json.NewDecoder(r.Body).Decode(&patch)
+		if err != nil {
+			http.Error(w, errors.Join(fmt.Errorf("Can't parse the request body as a website patch JSON"), err).Error(), http.StatusBadRequest)
+			return
+		}
+
+		view, err := ctrl.Patch(bucketName, &patch)
+		if errors.Is(err, ErrWebsiteNotFound) {
+			http.Error(w, err.Error(), http.StatusNotFound)
+			return
+		} else if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		w.Header().Set("Content-Type", "application/json")
+		json.NewEncoder(w).Encode(view)
+		return
+	}
+
+	if r.Method == http.MethodDelete {
+		err := ctrl.Delete(bucketName)
+		if errors.Is(err, ErrEmptyBucketName) || errors.Is(err, ErrBucketDeleteNotEmpty) || errors.Is(err, ErrBucketDeleteUnfinishedUpload) {
+			http.Error(w, err.Error(), http.StatusBadRequest)
+			return
+		} else if errors.Is(err, ErrWebsiteNotFound) {
+			http.Error(w, err.Error(), http.StatusNotFound)
+			return
+		} else if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+		w.WriteHeader(http.StatusNoContent)
+		return
+
+	}
+
+	http.Error(w, "This method is not implemented for this endpoint", http.StatusNotImplemented)
+	return
+}

cli.go

@@ -0,0 +1,44 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"golang.org/x/term"
+	"os"
+	"syscall"
+)
+
+var fsCli = flag.NewFlagSet("cli", flag.ContinueOnError)
+var passFlag = fsCli.Bool("passwd", false, "Tool to generate a guichet-compatible password hash")
+
+func cliMain(args []string) {
+	if err := fsCli.Parse(args); err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	if *passFlag {
+		cliPasswd()
+	} else {
+		fsCli.PrintDefaults()
+		os.Exit(1)
+	}
+}
+
+func cliPasswd() {
+	fmt.Print("Password: ")
+	bytepw, err := term.ReadPassword(int(syscall.Stdin))
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+	pass := string(bytepw)
+
+	hash, err := SSHAEncode(pass)
+	if err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+
+	fmt.Println(hash)
+}

config.json.example

@@ -2,30 +2,31 @@
   "http_bind_addr": ":9991",
   "ldap_server_addr": "ldap://127.0.0.1:389",
 
-  "base_dn": "dc=example,dc=com",
+  "base_dn": "dc=bottin,dc=eu",
-  "user_base_dn": "ou=users,dc=example,dc=com",
+  "user_base_dn": "ou=users,dc=bottin,dc=eu",
-  "user_name_attr": "uid",
+  "user_name_attr": "cn",
-  "group_base_dn": "ou=groups,dc=example,dc=com",
+  "group_base_dn": "ou=groups,dc=bottin,dc=eu",
-  "group_name_attr": "gid",
+  "group_name_attr": "cn",
 
-  "invitation_base_dn": "ou=invitations,dc=example,dc=com",
+  "invitation_base_dn": "ou=invitations,dc=bottin,dc=eu",
   "invitation_name_attr": "cn",
-  "invited_mail_format": "{}@example.com",
+  "invited_mail_format": "{}@bottin.eu",
-  "invited_auto_groups": [
+  "invited_auto_groups": [ ],
-    "cn=email,ou=groups,dc=example,dc=com"
-  ],
 
-  "web_address": "https://guichet.example.com",
+  "web_address": "http://localhost:9991",
-  "mail_from": "welcome@example.com",
+  "mail_from": "welcome@bottin.eu",
-  "smtp_server": "smtp.example.com",
+  "smtp_server": "smtp.bottin.eu",
   "smtp_username": "guichet",
   "smtp_password": "",
 
-  "admin_account": "uid=admin,dc=example,dc=com",
+  "admin_account": "cn=admin,dc=bottin,dc=eu",
-  "group_can_admin": "gid=admin,ou=groups,dc=example,dc=com",
+  "group_can_admin": "cn=admin,ou=groups,dc=bottin,dc=eu",
-  "group_can_invite": ""
+  "group_can_invite": "cn=admin,ou=groups,dc=bottin,dc=eu",
 
-  "s3_endpoint": "garage.example.com",
+  "s3_admin_endpoint": "localhost:3903",
+  "s3_admin_token": "GlXP43PWH3LuvEGSNxKYzZCyUss8VqZmarBU+HUlrxw=",
+
+  "s3_endpoint": "localhost:3900",
   "s3_access_key": "",
   "s3_secret_key": "",
   "s3_region": "garage",

directory.go

@@ -13,10 +13,10 @@ const FIELD_NAME_PROFILE_PICTURE = "profilePicture"
 const FIELD_NAME_DIRECTORY_VISIBILITY = "directoryVisibility"
 
 func handleDirectory(w http.ResponseWriter, r *http.Request) {
-	templateDirectory := template.Must(template.ParseFiles("templates/layout.html", "templates/directory.html"))
+	templateDirectory := getTemplate("directory.html")
 
-	login := checkLogin(w, r)
+	user := RequireUserHtml(w, r)
-	if login == nil {
+	if user == nil {
 		return
 	}
 
@@ -37,7 +37,7 @@ type SearchResults struct {
 }
 
 func handleDirectorySearch(w http.ResponseWriter, r *http.Request) {
-	templateDirectoryResults := template.Must(template.ParseFiles("templates/directory_results.html"))
+	templateDirectoryResults := template.Must(template.ParseFiles(templatePath + "/directory_results.html"))
 
 	//Get input value by user
 	r.ParseMultipartForm(1024)
@@ -49,8 +49,8 @@ func handleDirectorySearch(w http.ResponseWriter, r *http.Request) {
 	}
 
 	//Log to allow the research
-	login := checkLogin(w, r)
+	user := RequireUserHtml(w, r)
-	if login == nil {
+	if user == nil {
 		http.Error(w, "Login required", http.StatusUnauthorized)
 		return
 	}
@@ -69,7 +69,7 @@ func handleDirectorySearch(w http.ResponseWriter, r *http.Request) {
 		},
 		nil)
 
-	sr, err := login.conn.Search(searchRequest)
+	sr, err := user.Login.conn.Search(searchRequest)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return

flake.lock

@@ -0,0 +1,97 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "gomod2nix": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1694616124,
+        "narHash": "sha256-c49BVhQKw3XDRgt+y+uPAbArtgUlMXCET6VxEBmzHXE=",
+        "owner": "tweag",
+        "repo": "gomod2nix",
+        "rev": "f95720e89af6165c8c0aa77f180461fe786f3c21",
+        "type": "github"
+      },
+      "original": {
+        "owner": "tweag",
+        "repo": "gomod2nix",
+        "rev": "f95720e89af6165c8c0aa77f180461fe786f3c21",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1695711119,
+        "narHash": "sha256-qrtJ4zliGgH24FMhj5a/5Gq7SkjqKquF5AVS0eEevBk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "044b1b65fd5dd49a535e9a9bd1a2cee884eb22d6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "master",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1695710730,
+        "narHash": "sha256-GigCuk3t8AVXr2NdX6eBgouc20JWWrZatbKH3xZZSC4=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "f758d66c9cc3011f5327f8583908a7803cc019b1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "f758d66c9cc3011f5327f8583908a7803cc019b1",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "gomod2nix": "gomod2nix",
+        "nixpkgs": "nixpkgs_2"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,57 @@
+{
+  description = "A simple LDAP web interface for Bottin";
+
+  inputs.nixpkgs.url =
+    "github:nixos/nixpkgs/f758d66c9cc3011f5327f8583908a7803cc019b1";
+  inputs.gomod2nix.url =
+    "github:tweag/gomod2nix/f95720e89af6165c8c0aa77f180461fe786f3c21";
+
+  outputs = { self, nixpkgs, gomod2nix }:
+    let
+      pkgs = import nixpkgs {
+        system = "x86_64-linux";
+        overlays = [
+          (import "${gomod2nix}/overlay.nix")
+        ];
+      };
+      src = ./.;
+      guichet = pkgs.buildGoApplication {
+        pname = "guichet";
+        version = "0.1.0";
+        src = src;
+        modules = ./gomod2nix.toml;
+
+        CGO_ENABLED = 0;
+
+        ldflags = [
+          "-X main.templatePath=${src + "/templates"}"
+          "-X main.staticPath=${src + "/static"}"
+        ];
+
+        meta = with pkgs.lib; {
+          description = "A simple LDAP web interface for Bottin";
+          homepage = "https://git.deuxfleurs.fr/Deuxfleurs/guichet";
+          license = licenses.gpl3Plus;
+          platforms = platforms.linux;
+        };
+      };
+
+
+      container = pkgs.dockerTools.buildImage {
+        name = "dxflrs/guichet";
+	copyToRoot = pkgs.buildEnv {
+          name = "guichet-env";
+	  paths = [ guichet pkgs.cacert ];
+	};
+        config = {
+         Entrypoint = "/bin/guichet";
+        };
+      };
+    in {
+      packages.x86_64-linux.guichet = guichet;
+      packages.x86_64-linux.container = container;
+      packages.x86_64-linux.default = guichet;
+      
+      devShell.x86_64-linux = pkgs.mkShell { nativeBuildInputs = [ pkgs.go pkgs.gomod2nix ]; };
+    };
+}

garage.go

@@ -0,0 +1,188 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	garage "git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-golang"
+	"log"
+)
+
+func gadmin() (*garage.APIClient, context.Context) {
+	// Set Host and other parameters
+	configuration := garage.NewConfiguration()
+	configuration.Host = config.S3AdminEndpoint
+
+	// We can now generate a client
+	client := garage.NewAPIClient(configuration)
+
+	// Authentication is handled through the context pattern
+	ctx := context.WithValue(context.Background(), garage.ContextAccessToken, config.S3AdminToken)
+	return client, ctx
+}
+
+func grgCreateKey(name string) (*garage.KeyInfo, error) {
+	client, ctx := gadmin()
+
+	kr := garage.NewAddKeyRequest()
+	kr.SetName(name)
+	resp, _, err := client.KeyApi.AddKey(ctx).AddKeyRequest(*kr).Execute()
+	if err != nil {
+		fmt.Printf("%+v\n", err)
+		return nil, err
+	}
+	return resp, nil
+}
+
+func grgGetKey(accessKey string) (*garage.KeyInfo, error) {
+	client, ctx := gadmin()
+
+	resp, _, err := client.KeyApi.GetKey(ctx).Id(accessKey).ShowSecretKey("true").Execute()
+	if err != nil {
+		fmt.Printf("%+v\n", err)
+		return nil, err
+	}
+	return resp, nil
+}
+
+func grgSearchKey(name string) (*garage.KeyInfo, error) {
+	client, ctx := gadmin()
+
+	resp, _, err := client.KeyApi.GetKey(ctx).Search(name).ShowSecretKey("true").Execute()
+	if err != nil {
+		fmt.Printf("%+v\n", err)
+		return nil, err
+	}
+	return resp, nil
+}
+
+func grgDelKey(accessKey string) error {
+	client, ctx := gadmin()
+
+	_, err := client.KeyApi.DeleteKey(ctx).Id(accessKey).Execute()
+	if err != nil {
+		fmt.Printf("%+v\n", err)
+		return err
+	}
+	return nil
+}
+
+func grgCreateBucket(bucket string) (*garage.BucketInfo, error) {
+	client, ctx := gadmin()
+
+	br := garage.NewCreateBucketRequest()
+	br.SetGlobalAlias(bucket)
+
+	// Create Bucket
+	binfo, _, err := client.BucketApi.CreateBucket(ctx).CreateBucketRequest(*br).Execute()
+	if err != nil {
+		fmt.Printf("%+v\n", err)
+		return nil, err
+	}
+	return binfo, nil
+}
+
+func grgAllowKeyOnBucket(bid, gkey string, read, write, owner bool) (*garage.BucketInfo, error) {
+	client, ctx := gadmin()
+
+	// Allow user's key
+	ar := garage.AllowBucketKeyRequest{
+		BucketId:    bid,
+		AccessKeyId: gkey,
+		Permissions: *garage.NewAllowBucketKeyRequestPermissions(read, write, owner),
+	}
+	binfo, _, err := client.BucketApi.AllowBucketKey(ctx).AllowBucketKeyRequest(ar).Execute()
+	if err != nil {
+		fmt.Printf("%+v\n", err)
+		return nil, err
+	}
+
+	return binfo, nil
+}
+
+func allowWebsiteDefault() *garage.UpdateBucketRequestWebsiteAccess {
+	wr := garage.NewUpdateBucketRequestWebsiteAccess()
+	wr.SetEnabled(true)
+	wr.SetIndexDocument("index.html")
+	wr.SetErrorDocument("error.html")
+
+	return wr
+}
+
+func grgUpdateBucket(bid string, ur *garage.UpdateBucketRequest) (*garage.BucketInfo, error) {
+	client, ctx := gadmin()
+
+	binfo, _, err := client.BucketApi.UpdateBucket(ctx).Id(bid).UpdateBucketRequest(*ur).Execute()
+	if err != nil {
+		fmt.Printf("%+v\n", err)
+		return nil, err
+	}
+
+	// Return updated binfo
+	return binfo, nil
+}
+
+func grgAddGlobalAlias(bid, alias string) (*garage.BucketInfo, error) {
+	client, ctx := gadmin()
+
+	resp, _, err := client.BucketApi.PutBucketGlobalAlias(ctx).Id(bid).Alias(alias).Execute()
+	if err != nil {
+		log.Println(err)
+		return nil, err
+	}
+	return resp, nil
+}
+
+func grgAddLocalAlias(bid, key, alias string) (*garage.BucketInfo, error) {
+	client, ctx := gadmin()
+
+	resp, _, err := client.BucketApi.PutBucketLocalAlias(ctx).Id(bid).AccessKeyId(key).Alias(alias).Execute()
+	if err != nil {
+		log.Println(err)
+		return nil, err
+	}
+	return resp, nil
+}
+
+func grgDelGlobalAlias(bid, alias string) (*garage.BucketInfo, error) {
+	client, ctx := gadmin()
+
+	resp, _, err := client.BucketApi.DeleteBucketGlobalAlias(ctx).Id(bid).Alias(alias).Execute()
+	if err != nil {
+		log.Println(err)
+		return nil, err
+	}
+	return resp, nil
+}
+
+func grgDelLocalAlias(bid, key, alias string) (*garage.BucketInfo, error) {
+	client, ctx := gadmin()
+
+	resp, _, err := client.BucketApi.DeleteBucketLocalAlias(ctx).Id(bid).AccessKeyId(key).Alias(alias).Execute()
+	if err != nil {
+		log.Println(err)
+		return nil, err
+	}
+	return resp, nil
+}
+
+func grgGetBucket(bid string) (*garage.BucketInfo, error) {
+	client, ctx := gadmin()
+
+	resp, _, err := client.BucketApi.GetBucketInfo(ctx).Id(bid).Execute()
+	if err != nil {
+		log.Println(err)
+		return nil, err
+	}
+	return resp, nil
+
+}
+
+func grgDeleteBucket(bid string) error {
+	client, ctx := gadmin()
+
+	_, err := client.BucketApi.DeleteBucket(ctx).Id(bid).Execute()
+	if err != nil {
+		log.Println(err)
+	}
+	return err
+}

go.mod

@@ -1,18 +1,38 @@
-module deuxfleurs.fr/Deuxfleurs/guichet
+module git.deuxfleurs.fr/Deuxfleurs/guichet
 
-go 1.13
+go 1.18
 
 require (
+	git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-golang v0.0.0-20231128153612-8b81fae65e5e
 	github.com/emersion/go-sasl v0.0.0-20191210011802-430746ea8b9b
 	github.com/emersion/go-smtp v0.12.1
-	github.com/go-ldap/ldap v3.0.3+incompatible
 	github.com/go-ldap/ldap/v3 v3.1.6
 	github.com/google/uuid v1.1.1
 	github.com/gorilla/mux v1.7.3
 	github.com/gorilla/sessions v1.2.0
+	github.com/jsimonetti/pwscheme v0.0.0-20220125093853-4d9895f5db73
 	github.com/minio/minio-go/v7 v7.0.0
-	github.com/sirupsen/logrus v1.6.0
-	github.com/stretchr/objx v0.1.1 // indirect
-	golang.org/x/crypto v0.0.0-20200214034016-1d94cc7ab1c6
 	github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646
+	golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9
+	golang.org/x/term v0.12.0
+)
+
+require (
+	github.com/go-asn1-ber/asn1-ber v1.3.1 // indirect
+	github.com/golang/protobuf v1.4.2 // indirect
+	github.com/gorilla/securecookie v1.1.1 // indirect
+	github.com/json-iterator/go v1.1.10 // indirect
+	github.com/klauspost/cpuid v1.2.3 // indirect
+	github.com/minio/md5-simd v1.1.0 // indirect
+	github.com/minio/sha256-simd v0.1.1 // indirect
+	github.com/mitchellh/go-homedir v1.1.0 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421 // indirect
+	github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742 // indirect
+	golang.org/x/net v0.0.0-20200822124328-c89045814202 // indirect
+	golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558 // indirect
+	golang.org/x/sys v0.12.0 // indirect
+	golang.org/x/text v0.3.3 // indirect
+	google.golang.org/appengine v1.6.6 // indirect
+	google.golang.org/protobuf v1.25.0 // indirect
+	gopkg.in/ini.v1 v1.57.0 // indirect
 )

go.sum

@@ -1,4 +1,50 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.34.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+cloud.google.com/go v0.38.0/go.mod h1:990N+gfupTy94rShfmMCWGDn0LpTmnzTp2qbd1dvSRU=
+cloud.google.com/go v0.44.1/go.mod h1:iSa0KzasP4Uvy3f1mN/7PiObzGgflwredwwASm/v6AU=
+cloud.google.com/go v0.44.2/go.mod h1:60680Gw3Yr4ikxnPRS/oxxkBccT6SA1yMk63TGekxKY=
+cloud.google.com/go v0.45.1/go.mod h1:RpBamKRgapWJb87xiFSdk4g1CME7QZg3uwTez+TSTjc=
+cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg0=
+cloud.google.com/go v0.50.0/go.mod h1:r9sluTvynVuxRIOHXQEHMFffphuXHOMZMycpNR5e6To=
+cloud.google.com/go v0.52.0/go.mod h1:pXajvRH/6o3+F9jDHZWQ5PbGhn+o8w9qiu/CffaVdO4=
+cloud.google.com/go v0.53.0/go.mod h1:fp/UouUEsRkN6ryDKNW/Upv/JBKnv6WDthjR6+vze6M=
+cloud.google.com/go v0.54.0/go.mod h1:1rq2OEkV3YMf6n/9ZvGWI3GWw0VoqH/1x2nd8Is/bPc=
+cloud.google.com/go v0.56.0/go.mod h1:jr7tqZxxKOVYizybht9+26Z/gUq7tiRzu+ACVAMbKVk=
+cloud.google.com/go v0.57.0/go.mod h1:oXiQ6Rzq3RAkkY7N6t3TcE6jE+CIBBbA36lwQ1JyzZs=
+cloud.google.com/go v0.62.0/go.mod h1:jmCYTdRCQuc1PHIIJ/maLInMho30T/Y0M4hTdTShOYc=
+cloud.google.com/go v0.65.0/go.mod h1:O5N8zS7uWy9vkA9vayVHs65eM1ubvY4h553ofrNHObY=
+cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
+cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
+cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
+cloud.google.com/go/bigquery v1.5.0/go.mod h1:snEHRnqQbz117VIFhE8bmtwIDY80NLUZUMb4Nv6dBIg=
+cloud.google.com/go/bigquery v1.7.0/go.mod h1://okPTzCYNXSlb24MZs83e2Do+h+VXtc4gLoIoXIAPc=
+cloud.google.com/go/bigquery v1.8.0/go.mod h1:J5hqkt3O0uAFnINi6JXValWIb1v0goeZM77hZzJN/fQ=
+cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
+cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
+cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
+cloud.google.com/go/pubsub v1.1.0/go.mod h1:EwwdRX2sKPjnvnqCa270oGRyludottCI76h+R3AArQw=
+cloud.google.com/go/pubsub v1.2.0/go.mod h1:jhfEVHT8odbXTkndysNHCcx0awwzvfOlguIAii9o8iA=
+cloud.google.com/go/pubsub v1.3.1/go.mod h1:i+ucay31+CNRpDW4Lu78I4xXG+O1r/MAHgjpRVR+TSU=
+cloud.google.com/go/storage v1.0.0/go.mod h1:IhtSnM/ZTZV8YYJWCY8RULGVqBDmpoyjwiyrjsg+URw=
+cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0ZeosJ0Rtdos=
+cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
+cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
+cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
+dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
+git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-golang v0.0.0-20230131081355-c965fe7f7dc9 h1:ERg8KCpIKym98EOKa8Gq0NSBxsasD3sqb/R0gg1wOzU=
+git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-golang v0.0.0-20230131081355-c965fe7f7dc9/go.mod h1:TlSL6QVxozmdRaSgP6Akspi0HCJv4HAkkq3Dldru4GM=
+git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-golang v0.0.0-20231128153612-8b81fae65e5e h1:h89CAh0qmUcGJykss/utXIw+yRGa3Gr6VyrZ5ZWN0kY=
+git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-golang v0.0.0-20231128153612-8b81fae65e5e/go.mod h1:TlSL6QVxozmdRaSgP6Akspi0HCJv4HAkkq3Dldru4GM=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
+github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
+github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/emersion/go-sasl v0.0.0-20190817083125-240c8404624e/go.mod h1:G/dpzLu16WtQpBfQ/z3LYiYJn3ZhKSGWn83fyoyQe/k=
@@ -6,15 +52,68 @@ github.com/emersion/go-sasl v0.0.0-20191210011802-430746ea8b9b h1:uhWtEWBHgop1rq
 github.com/emersion/go-sasl v0.0.0-20191210011802-430746ea8b9b/go.mod h1:G/dpzLu16WtQpBfQ/z3LYiYJn3ZhKSGWn83fyoyQe/k=
 github.com/emersion/go-smtp v0.12.1 h1:1R8BDqrR2HhlGwgFYcOi+BVTvK1bMjAB65QcVpJ5sNA=
 github.com/emersion/go-smtp v0.12.1/go.mod h1:SD9V/xa4ndMw77lR3Mf7htkp8RBNYuPh9UeuBs9tpUQ=
+github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/go-asn1-ber/asn1-ber v1.3.1 h1:gvPdv/Hr++TRFCl0UbPFHC54P9N9jgsRPnmnr419Uck=
 github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-ldap/ldap v3.0.3+incompatible h1:HTeSZO8hWMS1Rgb2Ziku6b8a7qRIZZMHjsvuZyatzwk=
+github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
-github.com/go-ldap/ldap v3.0.3+incompatible/go.mod h1:qfd9rJvER9Q0/D/Sqn1DfHRoBp40uXYvFoEVrNEPqRc=
+github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-ldap/ldap/v3 v3.1.6 h1:VTihvB7egSAvU6KOagaiA/EvgJMR2jsjRAVIho2ydBo=
 github.com/go-ldap/ldap/v3 v3.1.6/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.2.0/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
+github.com/golang/mock v1.4.0/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/mock v1.4.1/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/mock v1.4.3/go.mod h1:UOMv5ysSaYNkG+OFQykRIcU/QvvxJf3p21QfJ2Bt3cw=
+github.com/golang/mock v1.4.4/go.mod h1:l3mdAwkq5BuhzHwde/uurv3sEJeZMXNpwsxVWU71h+4=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
+github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.4.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.1 h1:JFrFEBb2xKufg6XkJsJr+WbKb4FQlURi5RUcBveYu9k=
+github.com/google/go-cmp v0.5.1/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
+github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
+github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
+github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200212024743-f11f1df84d12/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200229191704-1ebb73c60ed3/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200430221834-fc25d7d30c6d/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
+github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
+github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
+github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/mux v1.7.3 h1:gnP5JzjVOuiZD07fKKToCAOjS0yOpj/qPETTXCCS6hw=
 github.com/gorilla/mux v1.7.3/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
@@ -22,15 +121,24 @@ github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyC
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/gorilla/sessions v1.2.0 h1:S7P+1Hm5V/AT9cjEcUD5uDaQSX0OE577aCXgoaKpYbQ=
 github.com/gorilla/sessions v1.2.0/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
+github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/jsimonetti/pwscheme v0.0.0-20220125093853-4d9895f5db73 h1:ZhC4QngptYaGx53+ph1RjxcH8fkCozBaY+935TNX4i8=
+github.com/jsimonetti/pwscheme v0.0.0-20220125093853-4d9895f5db73/go.mod h1:t0Q9JvoMTfTYdAWIk2MF69iz+Qpdk9D+PgVu6fVmaDI=
 github.com/json-iterator/go v1.1.10 h1:Kz6Cvnvv2wGdaG/V8yMvfkmNiXq9Ya2KUv4rouJJr68=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
+github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
+github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/cpuid v1.2.3 h1:CCtW0xUnWGVINKvE/WWOYKdsPV6mawAtvQuSl8guwQs=
 github.com/klauspost/cpuid v1.2.3/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
-github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
-github.com/konsorten/go-windows-terminal-sequences v1.0.3 h1:CE8S1cTafDpPvMhIxNJKvHsGVBgn1xWYf1NbHQhywc8=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/minio/md5-simd v1.1.0 h1:QPfiOqlZH+Cj9teu0t9b1nTBfPbyTl16Of5MeuShdK4=
 github.com/minio/md5-simd v1.1.0/go.mod h1:XpBqgZULrMYD3R+M28PcmP0CkI7PEMzB3U77ZrKZ0Gw=
 github.com/minio/minio-go/v7 v7.0.0 h1:99hRCmsmMi+hKK93C26iPnRQebTsdK8GEx8Xb4XLr7I=
@@ -45,33 +153,282 @@ github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742 h1:Esafd1046DLD
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646 h1:zYyBkD/k9seD2A7fsi6Oo2LfFZAehjjQMERAvZLEDnQ=
 github.com/nfnt/resize v0.0.0-20180221191011-83c6a9932646/go.mod h1:jpp1/29i3P1S/RLdc7JQKbRpFeM1dOBd8T9ki5s+AY8=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
+github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
-github.com/sirupsen/logrus v1.6.0 h1:UBcNElsrwanuuMsnGSlYmtmgbb23qDR5dG+6X6Oo89I=
 github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88=
+github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
+github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a h1:pa8hGb/2YqsZKovtsgrwcDH1RZhVbTKCjLp47XpqCDs=
 github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
-github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
+go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
+go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
+go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190513172903-22d7a77e9e5f/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200214034016-1d94cc7ab1c6 h1:Sy5bstxEqwwbYs6n0/pBuxKENqOeZUgD45Gp3Q3pqLg=
+golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
-golang.org/x/crypto v0.0.0-20200214034016-1d94cc7ab1c6/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
+golang.org/x/exp v0.0.0-20190829153037-c13cbed26979/go.mod h1:86+5VVa7VpoJ4kLfm080zCjGlMRFzhUhsZKEZO7MGek=
+golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
+golang.org/x/exp v0.0.0-20191129062945-2f5052295587/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
+golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
+golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
+golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
+golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190301231843-5614ed5bae6f/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190409202823-959b441ac422/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190909230951-414d861bb4ac/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
+golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
+golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
+golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
+golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190108225652-1e06a53dbb7e/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
-golang.org/x/net v0.0.0-20190522155817-f3200d17e092 h1:4QSRKanuywn15aTZvI/mIDEgPQpswuFndXpOj3rKEco=
+golang.org/x/net v0.0.0-20190501004415-9ce7a6920f09/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190503192946-f4e77d36d62c/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190628185345-da137c7871d7/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200222125558-5a598a2470a0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200301022130-244492dfa37a/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200501053045-e0ff5e5a1de5/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200513185701-a91f0712d120/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200520182314-0ba52f642ac2/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20200707034311-ab3426394381/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/net v0.0.0-20200822124328-c89045814202 h1:VvcQYSHwXgi7W+TpUR6A9g6Up98WAHf3f/ulnJ62IyA=
+golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
+golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558 h1:D7nTwh4J0i+5mW4Zjzn5omvlr6YBcWywE6KOcatyNxY=
+golang.org/x/oauth2 v0.0.0-20210323180902-22b0adad7558/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190227155943-e225da77a7e6/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190422165155-953cdadca894 h1:Cz4ceDQGXuKRnVBDTS23GTn/pU5OE2C0WrNTOYK1Uuc=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae h1:/WDfKMnPU+m5M4xB+6x4kaepxRw6jWvR5iDRdvjHgy8=
+golang.org/x/sys v0.0.0-20190502145724-3ef323f4f1fd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190726091711-fc99dfbffb4e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191001151750-bb3f8db39f24/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191228213918-04cbcbbfeed8/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200113162924-86b910548bc1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200122134326-e047566fdf82/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200202164722-d101bd2416d5/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200212091648-12a6c2dcc1e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
+golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200331124033-c3d80250170d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200501052902-10377860bb8e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200511232937-7e40ca221e25/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200515095857-1151b9dac4a9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200523222454-059865788121/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.12.0 h1:/ZfYdc3zq+q02Rv9vGqTeSItdzZTSNDmfTi0mBAuidU=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
+golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312151545-0bb0c0a6e846/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190506145303-2d16b83fe98c/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20190606124116-d0a3d012864b/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190621195816-6e04913cbbac/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190628153133-6cdbf07be9d0/go.mod h1:/rFqwRUd4F7ZHNgwSSTFct+R/Kf4OFW1sUzUTQQTgfc=
+golang.org/x/tools v0.0.0-20190816200558-6889da9d5479/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191012152004-8de300cfc20a/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191113191852-77e3bb0ad9e7/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191115202509-3a792d9c32b2/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191130070609-6e064ea0cf2d/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191216173652-a0e659d51361/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20191227053925-7b8e75db28f4/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200117161641-43d50277825c/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200122220014-bf1340f18c4a/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200204074204-1cc6d1ef6c74/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200207183749-b753a1ba74fa/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200212150539-ea181f53ac56/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200224181240-023911ca70b2/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200227222343-706bc42d1f0d/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200304193943-95d2e580d8eb/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
+golang.org/x/tools v0.0.0-20200312045724-11d5b4c81c7d/go.mod h1:o4KQGtdN14AW+yjsvvwRTJJuXz8XRtIHtEnmAXLyFUw=
+golang.org/x/tools v0.0.0-20200331025713-a30bf2db82d4/go.mod h1:Sl4aGygMT6LrqrWclx+PTx3U+LnKx/seiNR+3G19Ar8=
+golang.org/x/tools v0.0.0-20200501065659-ab2804fb9c9d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200512131952-2bc93b1c0c88/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200515010526-7d3b6ebf133d/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200618134242-20370b0cb4b2/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
+golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
+golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
+google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
+google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/api v0.9.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
+google.golang.org/api v0.13.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.14.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.15.0/go.mod h1:iLdEw5Ide6rF15KTC1Kkl0iskquN2gFfn9o9XIsbkAI=
+google.golang.org/api v0.17.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.18.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.19.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.20.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.22.0/go.mod h1:BwFmGc8tA3vsd7r/7kR8DY7iEEGSU04BFxCo5jP/sfE=
+google.golang.org/api v0.24.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
+google.golang.org/api v0.28.0/go.mod h1:lIXQywCXRcnZPGlsd8NbLnOjtAoL6em04bJ9+z0MncE=
+google.golang.org/api v0.29.0/go.mod h1:Lcubydp8VUV7KeIHD9z2Bys/sm/vGKnG1UHuDBSrHWM=
+google.golang.org/api v0.30.0/go.mod h1:QGmEvQ87FHZNiUVJkT14jQNYJ4ZJjdRF23ZXz5138Fc=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
+google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine v1.6.6 h1:lMO5rYAqUxkmaj76jAkRUvt5JZgFymx/+Q5Mzfivuhc=
+google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190425155659-357c62f0e4bb/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190502173448-54afdca5d873/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
+google.golang.org/genproto v0.0.0-20190801165951-fa694d86fc64/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
+google.golang.org/genproto v0.0.0-20191108220845-16a3f7862a1a/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191115194625-c23dd37a84c9/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191216164720-4f79533eabd1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20191230161307-f3c370f40bfb/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200115191322-ca5a22157cba/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200122232147-0452cf42e150/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200204135345-fa8e72b47b90/go.mod h1:GmwEX6Z4W5gMy59cAlVYjN9JhxgbQH6Gn+gFDQe2lzA=
+google.golang.org/genproto v0.0.0-20200212174721-66ed5ce911ce/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200224152610-e50cd9704f63/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200228133532-8c2c7df3a383/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200305110556-506484158171/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200312145019-da6875a35672/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200331122359-1ee6d9798940/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200430143042-b979b6f78d84/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200511104702-f5ebc3bea380/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto v0.0.0-20200515170657-fc4c6c6a6587/go.mod h1:YsZOwe1myG/8QRHRsmBRE1LrgQY60beZKjly0O1fX9U=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
+google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7FcilCzHH/e9qn6dsT145K34l5v+OpcnNgKAAA=
+google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
+google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
+google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.27.1/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.28.0/go.mod h1:rpkK4SK4GF4Ach/+MFLZUBavHOvF2JJB5uozKKal+60=
+google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
+google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4=
+google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
+google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/ini.v1 v1.57.0 h1:9unxIsFcTt4I55uWluz+UmL95q4kdJ0buvQ1ZIqVQww=
 gopkg.in/ini.v1 v1.57.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
+honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
+rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
+rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

gomod2nix.toml

@@ -0,0 +1,90 @@
+schema = 3
+
+[mod]
+  [mod."git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-golang"]
+    version = "v0.0.0-20231128153612-8b81fae65e5e"
+    hash = "sha256-o9kbcJ25/cYYwWZz/LBF7ZDyW8bZAjdg5pPu0gvb5JQ="
+  [mod."github.com/emersion/go-sasl"]
+    version = "v0.0.0-20191210011802-430746ea8b9b"
+    hash = "sha256-bADpAn0ZhlTTsEB3MsG8J31cQjTtHTzohX/wkL1aMIc="
+  [mod."github.com/emersion/go-smtp"]
+    version = "v0.12.1"
+    hash = "sha256-fiss5y7chfHv80vIQ9Xwx3J+3qLMA63EOP4OG3DxAtI="
+  [mod."github.com/go-asn1-ber/asn1-ber"]
+    version = "v1.3.1"
+    hash = "sha256-Alh6bUq9HoBDhY+n6W7xNBto/dUMxPGvucA6guarrjc="
+  [mod."github.com/go-ldap/ldap/v3"]
+    version = "v3.1.6"
+    hash = "sha256-UPUdYKOoCQWgl2Onbq1Oql7XU4TeYQA/+j4atwhdKbE="
+  [mod."github.com/golang/protobuf"]
+    version = "v1.4.2"
+    hash = "sha256-zhA1d1Kw1ZV/kDBZ4Iv5miKHjZBhcV8m3BiD1qocJqw="
+  [mod."github.com/google/uuid"]
+    version = "v1.1.1"
+    hash = "sha256-66PXC/RCPUyhS9PhkIPQFR3tbM2zZYDNPGXN7JJj3UE="
+  [mod."github.com/gorilla/mux"]
+    version = "v1.7.3"
+    hash = "sha256-YZSIN7Ua+hPqSIrT+tiRz3aFqJ1EWHvwee+PptpHI28="
+  [mod."github.com/gorilla/securecookie"]
+    version = "v1.1.1"
+    hash = "sha256-IBBYWfdOuXvQsb01DaA8tBizCfAE1J2KLXIn3W+NeJk="
+  [mod."github.com/gorilla/sessions"]
+    version = "v1.2.0"
+    hash = "sha256-4V7yd/vf03CEsb3pz5dbLWwv7t9QgKkEhVXtc1/z5s8="
+  [mod."github.com/jsimonetti/pwscheme"]
+    version = "v0.0.0-20220125093853-4d9895f5db73"
+    hash = "sha256-YF3RKU/4CWvLPgGzUd7Hk/2+41OUFuRWZgzQuqcsKg0="
+  [mod."github.com/json-iterator/go"]
+    version = "v1.1.10"
+    hash = "sha256-jdS2C0WsgsWREBSj+YUzSqdZofMfUMecaOQ/lB9Mu6k="
+  [mod."github.com/klauspost/cpuid"]
+    version = "v1.2.3"
+    hash = "sha256-1IBlONMxKVgudV/mzNrFZB60z8w4xFjVbEU2DoIAoeg="
+  [mod."github.com/minio/md5-simd"]
+    version = "v1.1.0"
+    hash = "sha256-jJbDwg7KlLB991wj1U6y+kJKOUxKVGQrDbM3nY+6qxE="
+  [mod."github.com/minio/minio-go/v7"]
+    version = "v7.0.0"
+    hash = "sha256-xWAELgH6mWVGKFEe2gbzvigJDNk+ELmegJe09KvUqvY="
+  [mod."github.com/minio/sha256-simd"]
+    version = "v0.1.1"
+    hash = "sha256-HpcuLTnpcyKe0ua2MN/ysK5cXdrwquDjrx4Y2dG6W2s="
+  [mod."github.com/mitchellh/go-homedir"]
+    version = "v1.1.0"
+    hash = "sha256-oduBKXHAQG8X6aqLEpqZHs5DOKe84u6WkBwi4W6cv3k="
+  [mod."github.com/modern-go/concurrent"]
+    version = "v0.0.0-20180228061459-e0a39a4cb421"
+    hash = "sha256-+bdeHUArnpkk4eMQIwXm9K249NkpwAjoTrXrGn/4VUE="
+  [mod."github.com/modern-go/reflect2"]
+    version = "v0.0.0-20180701023420-4b7aa43c6742"
+    hash = "sha256-RyIwgrPwtd4lNjLGkBVxRvu5IdXLDqf5F69QWLm0zLw="
+  [mod."github.com/nfnt/resize"]
+    version = "v0.0.0-20180221191011-83c6a9932646"
+    hash = "sha256-yvPV+HlDOyJsiwAcVHQkmtw8DHSXyw+cXHkigXm8rAA="
+  [mod."golang.org/x/crypto"]
+    version = "v0.0.0-20200622213623-75b288015ac9"
+    hash = "sha256-QvFbJEm3gXs2NtaaREbkbAtdHpU4fqX+0C0EvTezdKM="
+  [mod."golang.org/x/net"]
+    version = "v0.0.0-20200822124328-c89045814202"
+    hash = "sha256-wg5IrlVfnsRL86dbi3WJ9XA6Er6JuuyusytIPf18mO0="
+  [mod."golang.org/x/oauth2"]
+    version = "v0.0.0-20210323180902-22b0adad7558"
+    hash = "sha256-mQv+EELtNg99ZYiRFxel405A66PtHK6eCx6XM3vqKG8="
+  [mod."golang.org/x/sys"]
+    version = "v0.12.0"
+    hash = "sha256-Ht/PhBJGWNBg4ksmdUu4+7hJjFypSwoUN/8DJricd+0="
+  [mod."golang.org/x/term"]
+    version = "v0.12.0"
+    hash = "sha256-NFko0uqv/r2VxrbSgS1IwWzaWQK3RZuk0MvUV+qxIsc="
+  [mod."golang.org/x/text"]
+    version = "v0.3.3"
+    hash = "sha256-kiauoT7vd7Mh2AW7TnceQyoCDsARxWkDZu1OSD9dCZw="
+  [mod."google.golang.org/appengine"]
+    version = "v1.6.6"
+    hash = "sha256-nZnEfsXy3mgzRnlyWGHJKqsosvnAQFkhVszw3DSFe6Y="
+  [mod."google.golang.org/protobuf"]
+    version = "v1.25.0"
+    hash = "sha256-3sf57K5A0nmA1UmDe+6FUNJI6UR+SfVyZWNv+2TGHT4="
+  [mod."gopkg.in/ini.v1"]
+    version = "v1.57.0"
+    hash = "sha256-WSjX+qHJ1Rf4FRMTs7udQwEBkIo+z8+EK3uB5CebrZ4="

integration/README.md

@@ -0,0 +1,16 @@
+# Intégration de Guichet dans un environnement de dev/test
+
+## Dev process
+
+On utilise `docker compose` pour mettre en place l'infrastructure dont dépend Guichet, que l'on développe. (On rajoutera Garage dedans plus tard.)
+
+On ne met pas Guichet dans le `compose` pour pouvoir itérer plus rapidement : un `go build` et on a la nouvelle version, sans avoir restart les dépendances (Bottin, Consul...).
+
+## Notes
+
+* Bien récupérer le password `admin` dans les logs de 1er lancement de Bottin : il ne sera pas réaffiché.
+* Identifiant de l'admin sur Guichet : `cn=admin,dc=bottin,dc=eu` because il n'est pas dans `ou=users,dc=bottin,dc=eu` qui est l'organisation par défaut dans laquelle on va chercher les utilisateurs.
+
+## TODO 
+
+* Bridger Garage/S3 (pour le moment ne sert que pour les avatars dans l'annuaire)

integration/config/bottin.json

@@ -0,0 +1,19 @@
+{
+  "suffix": "dc=bottin,dc=eu",
+  "bind": "bottin:389",
+  "consul_host": "consul:8500",
+  "acl": [
+		"ANONYMOUS::bind:*,ou=users,dc=bottin,dc=eu:",
+		"ANONYMOUS::bind:cn=admin,dc=bottin,dc=eu:",
+		"*,dc=bottin,dc=eu::read:*:* !userpassword",
+		"cn=admin,dc=bottin,dc=eu::read add modify delete:*:*",
+		"*:cn=admin,ou=groups,dc=bottin,dc=eu:read add modify delete:*:*",
+
+		"ANONYMOUS::bind:*,ou=invitations,dc=bottin,dc=eu:",
+		"*,ou=invitations,dc=bottin,dc=eu::delete:SELF:*",
+		"*,ou=invitations,dc=bottin,dc=eu::add:*,ou=users,dc=bottin,dc=eu:*",
+		"*,ou=invitations,dc=bottin,dc=eu::modifyAdd:cn=email,ou=groups,dc=bottin,dc=eu:*",
+
+		"*::read modify:SELF:*"
+  ]
+}

integration/config/garage.toml

@@ -0,0 +1,26 @@
+metadata_dir = "/tmp/meta"
+data_dir = "/tmp/data"
+db_engine = "lmdb"
+
+replication_mode = "none"
+
+rpc_bind_addr = "[::]:3901"
+rpc_public_addr = "127.0.0.1:3901"
+rpc_secret = "93086c2378eecea1cc9e83ee0554a8c510359215168774a396dcb5a01f88dd79"
+
+[s3_api]
+s3_region = "garage"
+api_bind_addr = "[::]:3900"
+root_domain = ".s3.garage.localhost"
+
+[s3_web]
+bind_addr = "[::]:3902"
+root_domain = ".web.garage.localhost"
+index = "index.html"
+
+[k2v_api]
+api_bind_addr = "[::]:3904"
+
+[admin]
+api_bind_addr = "0.0.0.0:3903"
+admin_token = "GlXP43PWH3LuvEGSNxKYzZCyUss8VqZmarBU+HUlrxw="

integration/config/guichet.json

@@ -0,0 +1,34 @@
+{
+  "http_bind_addr": ":9991",
+  "ldap_server_addr": "ldap://127.0.0.1:389",
+
+  "base_dn": "dc=bottin,dc=eu",
+  "user_base_dn": "ou=users,dc=bottin,dc=eu",
+  "user_name_attr": "cn",
+  "group_base_dn": "ou=groups,dc=bottin,dc=eu",
+  "group_name_attr": "cn",
+
+  "invitation_base_dn": "ou=invitations,dc=bottin,dc=eu",
+  "invitation_name_attr": "cn",
+  "invited_mail_format": "{}@bottin.eu",
+  "invited_auto_groups": [
+    "cn=email,ou=groups,dc=bottin,dc=eu"
+  ],
+
+  "web_address": "https://guichet.bottin.eu",
+  "mail_from": "welcome@bottin.eu",
+  "smtp_server": "smtp.bottin.eu",
+  "smtp_username": "guichet",
+  "smtp_password": "",
+
+  "admin_account": "cn=admin,dc=bottin,dc=eu",
+  "group_can_admin": "gid=admin,ou=groups,dc=bottin,dc=eu",
+  "group_can_invite": "",
+
+  "s3_endpoint": "garage.bottin.eu",
+  "s3_access_key": "",
+  "s3_secret_key": "",
+  "s3_region": "garage",
+  "s3_bucket": "bottin-pictures"
+}
+

integration/docker-compose.yml

@@ -0,0 +1,31 @@
+version: '3'
+services:
+  consul:
+    # sync with nixos stable packages assuming our stack is up to date
+    # https://search.nixos.org/packages?channel=24.05&from=0&size=50&sort=relevance&type=packages&query=consul
+    image: hashicorp/consul:1.18
+    restart: "always"
+    expose:
+      - 8500
+  bottin:
+    # sync with deuxfleurs/nixcfg/cluster/prod/app/core/deploy/bottin.hcl
+    # to ensure compatibility with prod
+    image: dxflrs/bottin:7h18i30cckckaahv87d3c86pn4a7q41z
+    #command: "-config /etc/bottin.json"
+    restart: "always"
+    depends_on: ["consul"]
+    ports: 
+      - "389:389"
+    volumes:
+      - "./config/bottin.json:/config.json"
+  garage:
+    # sync with deuxfleurs/nixcfg/cluster/prod/app/garage/deploy/garage.hcl
+    # to ensure compatibility with prod
+    image: superboum/garage:v1.0.0-rc1-hotfix-red-ftr-wquorum
+    ports:
+      - "3900:3900"
+      - "3902:3902"
+      - "3903:3903"
+      - "3904:3904"
+    volumes:
+      - "./config/garage.toml:/etc/garage.toml"

invite.go

@@ -21,29 +21,29 @@ import (
 
 var EMAIL_REGEXP = regexp.MustCompile("^[a-zA-Z0-9.!#$%&'*+\\/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$")
 
-func checkInviterLogin(w http.ResponseWriter, r *http.Request) *LoginStatus {
+func checkInviterLogin(w http.ResponseWriter, r *http.Request) *LoggedUser {
-	login := checkLogin(w, r)
+	user := RequireUserHtml(w, r)
-	if login == nil {
+	if user == nil {
 		return nil
 	}
 
-	if !login.CanInvite {
+	if !user.Capabilities.CanInvite {
 		http.Error(w, "Not authorized to invite new users.", http.StatusUnauthorized)
 		return nil
 	}
 
-	return login
+	return user
 }
 
 // New account creation directly from interface
 
 func handleInviteNewAccount(w http.ResponseWriter, r *http.Request) {
-	login := checkInviterLogin(w, r)
+	user := checkInviterLogin(w, r)
-	if login == nil {
+	if user == nil {
 		return
 	}
 
-	handleNewAccount(w, r, login.conn, login.Info.DN)
+	handleNewAccount(w, r, user.Login.conn, user.Login.Info.DN())
 }
 
 // New account creation using code
@@ -52,15 +52,16 @@ func handleInvitationCode(w http.ResponseWriter, r *http.Request) {
 	code := mux.Vars(r)["code"]
 	code_id, code_pw := readCode(code)
 
-	l := ldapOpen(w)
+	l, err := NewLdapCon()
-	if l == nil {
+	if err != nil {
-		return
+		http.Error(w, err.Error(), http.StatusInternalServerError)
 	}
 
 	inviteDn := config.InvitationNameAttr + "=" + code_id + "," + config.InvitationBaseDN
-	err := l.Bind(inviteDn, code_pw)
+	err = l.Bind(inviteDn, code_pw)
 	if err != nil {
-		templateInviteInvalidCode := template.Must(template.ParseFiles("templates/layout.html", "templates/invite_invalid_code.html"))
+		log.Println(err)
+		templateInviteInvalidCode := getTemplate("invite_invalid_code.html")
 		templateInviteInvalidCode.Execute(w, nil)
 		return
 	}
@@ -110,7 +111,7 @@ type NewAccountData struct {
 }
 
 func handleNewAccount(w http.ResponseWriter, r *http.Request, l *ldap.Conn, invitedBy string) bool {
-	templateInviteNewAccount := template.Must(template.ParseFiles("templates/layout.html", "templates/invite_new_account.html"))
+	templateInviteNewAccount := getTemplate("invite_new_account.html")
 
 	data := &NewAccountData{}
 
@@ -133,9 +134,12 @@ func handleNewAccount(w http.ResponseWriter, r *http.Request, l *ldap.Conn, invi
 }
 
 func tryCreateAccount(l *ldap.Conn, data *NewAccountData, pass1 string, pass2 string, invitedBy string) {
+	checkFailed := false
+
 	// Check if username is correct
-	if match, err := regexp.MatchString("^[a-zA-Z0-9._-]+$", data.Username); !(err == nil && match) {
+	if match, err := regexp.MatchString("^[a-z0-9._-]+$", data.Username); !(err == nil && match) {
 		data.ErrorInvalidUsername = true
+		checkFailed = true
 	}
 
 	// Check if user exists
@@ -150,22 +154,26 @@ func tryCreateAccount(l *ldap.Conn, data *NewAccountData, pass1 string, pass2 st
 	sr, err := l.Search(searchRq)
 	if err != nil {
 		data.ErrorMessage = err.Error()
-		return
+		checkFailed = true
 	}
 
 	if len(sr.Entries) > 0 {
 		data.ErrorUsernameTaken = true
-		return
+		checkFailed = true
 	}
 
 	// Check that password is long enough
 	if len(pass1) < 8 {
 		data.ErrorPasswordTooShort = true
-		return
+		checkFailed = true
 	}
 
 	if pass1 != pass2 {
 		data.ErrorPasswordMismatch = true
+		checkFailed = true
+	}
+
+	if checkFailed {
 		return
 	}
 
@@ -173,7 +181,12 @@ func tryCreateAccount(l *ldap.Conn, data *NewAccountData, pass1 string, pass2 st
 	req := ldap.NewAddRequest(userDn, nil)
 	req.Attribute("objectclass", []string{"inetOrgPerson", "organizationalPerson", "person", "top"})
 	req.Attribute("structuralobjectclass", []string{"inetOrgPerson"})
-	req.Attribute("userpassword", []string{SSHAEncode([]byte(pass1))})
+	pw, err := SSHAEncode(pass1)
+	if err != nil {
+		data.ErrorMessage = err.Error()
+		return
+	}
+	req.Attribute("userpassword", []string{pw})
 	req.Attribute("invitedby", []string{invitedBy})
 	if len(data.DisplayName) > 0 {
 		req.Attribute("displayname", []string{data.DisplayName})
@@ -227,10 +240,10 @@ type CodeMailFields struct {
 }
 
 func handleInviteSendCode(w http.ResponseWriter, r *http.Request) {
-	templateInviteSendCode := template.Must(template.ParseFiles("templates/layout.html", "templates/invite_send_code.html"))
+	templateInviteSendCode := getTemplate("invite_send_code.html")
 
-	login := checkInviterLogin(w, r)
+	user := checkInviterLogin(w, r)
-	if login == nil {
+	if user == nil {
 		return
 	}
 
@@ -245,24 +258,29 @@ func handleInviteSendCode(w http.ResponseWriter, r *http.Request) {
 		sendto := strings.Join(r.Form["sendto"], "")
 
 		if choice == "display" || choice == "send" {
-			trySendCode(login, choice, sendto, data)
+			trySendCode(user, choice, sendto, data)
 		}
 	}
 
 	templateInviteSendCode.Execute(w, data)
 }
 
-func trySendCode(login *LoginStatus, choice string, sendto string, data *SendCodeData) {
+func trySendCode(user *LoggedUser, choice string, sendto string, data *SendCodeData) {
 	// Generate code
 	code, code_id, code_pw := genCode()
 
 	// Create invitation object in database
 	inviteDn := config.InvitationNameAttr + "=" + code_id + "," + config.InvitationBaseDN
 	req := ldap.NewAddRequest(inviteDn, nil)
-	req.Attribute("userpassword", []string{SSHAEncode([]byte(code_pw))})
+	pw, err := SSHAEncode(code_pw)
+	if err != nil {
+		data.ErrorMessage = err.Error()
+		return
+	}
+	req.Attribute("userpassword", []string{pw})
 	req.Attribute("objectclass", []string{"top", "invitationCode"})
 
-	err := login.conn.Add(req)
+	err = user.Login.conn.Add(req)
 	if err != nil {
 		data.ErrorMessage = err.Error()
 		return
@@ -281,12 +299,12 @@ func trySendCode(login *LoginStatus, choice string, sendto string, data *SendCod
 		return
 	}
 
-	templateMail := template.Must(template.ParseFiles("templates/invite_mail.txt"))
+	templateMail := template.Must(template.ParseFiles(templatePath + "/invite_mail.txt"))
 	buf := bytes.NewBuffer([]byte{})
 	templateMail.Execute(buf, &CodeMailFields{
 		To:             sendto,
 		From:           config.MailFrom,
-		InviteFrom:     login.WelcomeName(),
+		InviteFrom:     user.WelcomeName(),
 		Code:           code,
 		WebBaseAddress: config.WebAddress,
 	})

login.go

@@ -0,0 +1,298 @@
+package main
+
+import (
+	"crypto/tls"
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+
+	garage "git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-golang"
+	"github.com/go-ldap/ldap/v3"
+)
+
+var (
+	ErrNotAuthenticatedSession = fmt.Errorf("User has no session")
+	ErrNotAuthenticatedBasic   = fmt.Errorf("User has not sent Authentication Basic information")
+	ErrNotAuthenticated        = fmt.Errorf("User is not authenticated")
+	ErrWrongLDAPCredentials    = fmt.Errorf("LDAP credentials are wrong")
+	ErrLDAPServerUnreachable   = fmt.Errorf("Unable to open the LDAP server")
+	ErrLDAPSearchInternalError = fmt.Errorf("LDAP Search of this user failed with an internal error")
+	ErrLDAPSearchNotFound      = fmt.Errorf("User is authenticated but its associated data can not be found during search")
+)
+
+// --- Login Info ---
+type LoginInfo struct {
+	Username string
+	Password string
+}
+
+func NewLoginInfoFromSession(r *http.Request) (*LoginInfo, error) {
+	session, err := store.Get(r, SESSION_NAME)
+	if err == nil {
+		username, ok_user := session.Values["login_username"]
+		password, ok_pwd := session.Values["login_password"]
+
+		if ok_user && ok_pwd {
+			loginInfo := &LoginInfo{
+				Username: username.(string),
+				Password: password.(string),
+			}
+			return loginInfo, nil
+		}
+	}
+
+	return nil, errors.Join(ErrNotAuthenticatedSession, err)
+}
+
+func NewLoginInfoFromBasicAuth(r *http.Request) (*LoginInfo, error) {
+	username, password, ok := r.BasicAuth()
+	if ok {
+		login_info := &LoginInfo{
+			Username: username,
+			Password: password,
+		}
+
+		return login_info, nil
+	}
+	return nil, ErrNotAuthenticatedBasic
+}
+
+func (li *LoginInfo) DN() string {
+	user_dn := fmt.Sprintf("%s=%s,%s", config.UserNameAttr, li.Username, config.UserBaseDN)
+	if strings.EqualFold(li.Username, config.AdminAccount) {
+		user_dn = li.Username
+	}
+
+	return user_dn
+}
+
+// --- Login Status ---
+type LoginStatus struct {
+	Info *LoginInfo
+	conn *ldap.Conn
+}
+
+func NewLoginStatus(r *http.Request, login_info *LoginInfo) (*LoginStatus, error) {
+	l, err := NewLdapCon()
+	if err != nil {
+		return nil, err
+	}
+
+	err = l.Bind(login_info.DN(), login_info.Password)
+	if err != nil {
+		return nil, errors.Join(ErrWrongLDAPCredentials, err)
+	}
+
+	loginStatus := &LoginStatus{
+		Info: login_info,
+		conn: l,
+	}
+	return loginStatus, nil
+}
+
+func NewLdapCon() (*ldap.Conn, error) {
+	l, err := ldap.DialURL(config.LdapServerAddr)
+	if err != nil {
+		return nil, errors.Join(ErrLDAPServerUnreachable, err)
+	}
+
+	if config.LdapTLS {
+		err = l.StartTLS(&tls.Config{InsecureSkipVerify: true})
+		if err != nil {
+			return nil, errors.Join(ErrLDAPServerUnreachable, err)
+		}
+	}
+
+	return l, nil
+}
+
+// --- Capabilities ---
+type Capabilities struct {
+	CanAdmin  bool
+	CanInvite bool
+}
+
+func NewCapabilities(login *LoginStatus, entry *ldap.Entry) *Capabilities {
+	// Initialize
+	canAdmin := false
+	canInvite := false
+
+	// Special case for the "admin" account that is de-facto admin
+	canAdmin = strings.EqualFold(login.Info.DN(), config.AdminAccount)
+
+	// Check if this account is part of a group that give capabilities
+	for _, attr := range entry.Attributes {
+		if strings.EqualFold(attr.Name, "memberof") {
+			for _, group := range attr.Values {
+				if config.GroupCanInvite != "" && strings.EqualFold(group, config.GroupCanInvite) {
+					canInvite = true
+				}
+				if config.GroupCanAdmin != "" && strings.EqualFold(group, config.GroupCanAdmin) {
+					canAdmin = true
+				}
+			}
+		}
+	}
+
+	return &Capabilities{
+		CanAdmin:  canAdmin,
+		CanInvite: canInvite,
+	}
+}
+
+// --- Logged User ---
+type LoggedUser struct {
+	Username     string
+	Login        *LoginStatus
+	Entry        *ldap.Entry
+	Capabilities *Capabilities
+	Quota        *UserQuota
+	s3key        *garage.KeyInfo
+}
+
+func NewLoggedUser(login *LoginStatus) (*LoggedUser, error) {
+	requestKind := "(objectClass=organizationalPerson)"
+	if strings.EqualFold(login.Info.DN(), config.AdminAccount) {
+		requestKind = "(objectclass=*)"
+	}
+
+	searchRequest := ldap.NewSearchRequest(
+		login.Info.DN(),
+		ldap.ScopeBaseObject, ldap.NeverDerefAliases, 0, 0, false,
+		requestKind,
+		[]string{
+			"dn",
+			"displayname",
+			"givenname",
+			"sn",
+			"mail",
+			"memberof",
+			"description",
+			"garage_s3_access_key",
+			FIELD_NAME_DIRECTORY_VISIBILITY,
+			FIELD_NAME_PROFILE_PICTURE,
+			FIELD_QUOTA_WEBSITE_SIZE_BURSTED,
+			FIELD_QUOTA_WEBSITE_COUNT,
+		},
+		nil)
+
+	sr, err := login.conn.Search(searchRequest)
+	if err != nil {
+		return nil, ErrLDAPSearchInternalError
+	}
+
+	if len(sr.Entries) != 1 {
+		return nil, ErrLDAPSearchNotFound
+	}
+	entry := sr.Entries[0]
+
+	username := login.Info.Username
+	lu := &LoggedUser{
+		Username:     username,
+		Login:        login,
+		Entry:        entry,
+		Capabilities: NewCapabilities(login, entry),
+		Quota:        NewUserQuotaFromEntry(entry),
+	}
+	return lu, nil
+}
+func (lu *LoggedUser) WelcomeName() string {
+	ret := lu.Entry.GetAttributeValue("givenname")
+	if ret == "" {
+		ret = lu.Entry.GetAttributeValue("displayname")
+	}
+	if ret == "" {
+		ret = lu.Login.Info.Username
+	}
+	return ret
+}
+
+func (lu *LoggedUser) S3KeyInfo() (*garage.KeyInfo, error) {
+	var err error
+	var keyPair *garage.KeyInfo
+
+	if lu.s3key == nil {
+		keyID := lu.Entry.GetAttributeValue("garage_s3_access_key")
+		if keyID == "" {
+			// If there is no S3Key in LDAP, generate it...
+			keyPair, err = grgCreateKey(lu.Username)
+			if err != nil {
+				return nil, err
+			}
+			modify_request := ldap.NewModifyRequest(lu.Login.Info.DN(), nil)
+			modify_request.Replace("garage_s3_access_key", []string{*keyPair.AccessKeyId})
+			// @FIXME compatibility feature for bagage (SFTP+webdav)
+			// you can remove it once bagage will be updated to fetch the key from garage directly
+			// or when bottin will be able to dynamically fetch it.
+			modify_request.Replace("garage_s3_secret_key", []string{*keyPair.SecretAccessKey.Get()})
+			err = lu.Login.conn.Modify(modify_request)
+			if err != nil {
+				return nil, err
+			}
+		} else {
+			// There is an S3 key in LDAP, fetch its descriptor...
+			keyPair, err = grgGetKey(keyID)
+			if err != nil {
+				return nil, err
+			}
+		}
+
+		// Cache the keypair...
+		lu.s3key = keyPair
+	}
+
+	return lu.s3key, nil
+}
+
+// --- Require User Check
+func RequireUser(r *http.Request) (*LoggedUser, error) {
+	var login_info *LoginInfo
+
+	if li, err := NewLoginInfoFromSession(r); err == nil {
+		login_info = li
+	} else if li, err := NewLoginInfoFromBasicAuth(r); err == nil {
+		login_info = li
+	} else {
+		return nil, ErrNotAuthenticated
+	}
+
+	loginStatus, err := NewLoginStatus(r, login_info)
+	if err != nil {
+		return nil, err
+	}
+
+	return NewLoggedUser(loginStatus)
+}
+
+func RequireUserHtml(w http.ResponseWriter, r *http.Request) *LoggedUser {
+	user, err := RequireUser(r)
+
+	if errors.Is(err, ErrNotAuthenticated) || errors.Is(err, ErrWrongLDAPCredentials) {
+		http.Redirect(w, r, "/login", http.StatusFound)
+		return nil
+	}
+
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return nil
+	}
+
+	return user
+}
+
+func RequireUserApi(w http.ResponseWriter, r *http.Request) *LoggedUser {
+	user, err := RequireUser(r)
+
+	if errors.Is(err, ErrNotAuthenticated) || errors.Is(err, ErrWrongLDAPCredentials) {
+		http.Error(w, err.Error(), http.StatusUnauthorized)
+		return nil
+	}
+
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return nil
+	}
+
+	return user
+}

main.go

@@ -2,10 +2,8 @@ package main
 
 import (
 	"crypto/rand"
-	"crypto/tls"
 	"encoding/json"
 	"flag"
-	"fmt"
 	"html/template"
 	"io/ioutil"
 	"log"
@@ -29,6 +27,10 @@ type ConfigFile struct {
 	GroupBaseDN   string `json:"group_base_dn"`
 	GroupNameAttr string `json:"group_name_attr"`
 
+	MailingBaseDN       string `json:"mailing_list_base_dn"`
+	MailingNameAttr     string `json:"mailing_list_name_attr"`
+	MailingGuestsBaseDN string `json:"mailing_list_guest_user_base_dn"`
+
 	InvitationBaseDN   string   `json:"invitation_base_dn"`
 	InvitationNameAttr string   `json:"invitation_name_attr"`
 	InvitedMailFormat  string   `json:"invited_mail_format"`
@@ -44,6 +46,9 @@ type ConfigFile struct {
 	GroupCanInvite string `json:"group_can_invite"`
 	GroupCanAdmin  string `json:"group_can_admin"`
 
+	S3AdminEndpoint string `json:"s3_admin_endpoint"`
+	S3AdminToken    string `json:"s3_admin_token"`
+
 	S3Endpoint  string `json:"s3_endpoint"`
 	S3AccessKey string `json:"s3_access_key"`
 	S3SecretKey string `json:"s3_secret_key"`
@@ -51,12 +56,16 @@ type ConfigFile struct {
 	S3Bucket    string `json:"s3_bucket"`
 }
 
-var configFlag = flag.String("config", "./config.json", "Configuration file path")
+var fsServer = flag.NewFlagSet("server", flag.ContinueOnError)
+var configFlag = fsServer.String("config", "./config.json", "Configuration file path")
 
 var config *ConfigFile
 
 const SESSION_NAME = "guichet_session"
 
+var staticPath = "./static"
+var templatePath = "./templates"
+
 var store sessions.Store = nil
 
 func readConfig() ConfigFile {
@@ -94,9 +103,35 @@ func readConfig() ConfigFile {
 	return config_file
 }
 
-func main() {
+func getTemplate(name string) *template.Template {
-	flag.Parse()
+	return template.Must(template.New("layout.html").Funcs(template.FuncMap{
+		"contains": strings.Contains,
+	}).ParseFiles(
+		templatePath+"/layout.html",
+		templatePath+"/"+name,
+	))
+}
 
+func main() {
+	if len(os.Args) < 2 {
+		server(os.Args[1:])
+		return
+	}
+
+	switch os.Args[1] {
+	case "cli":
+		cliMain(os.Args[2:])
+	case "server":
+		server(os.Args[2:])
+	default:
+		log.Println("Usage: guichet [server|cli] --help")
+		os.Exit(1)
+	}
+}
+
+func server(args []string) {
+	log.Println("Starting Guichet Server")
+	fsServer.Parse(args)
 	config_file := readConfig()
 	config = &config_file
 
@@ -109,8 +144,12 @@ func main() {
 
 	r := mux.NewRouter()
 	r.HandleFunc("/", handleHome)
+	r.HandleFunc("/login", handleLogin)
 	r.HandleFunc("/logout", handleLogout)
 
+	r.HandleFunc("/api/unstable/website", handleAPIWebsiteList)
+	r.HandleFunc("/api/unstable/website/{bucket}", handleAPIWebsiteInspect)
+
 	r.HandleFunc("/profile", handleProfile)
 	r.HandleFunc("/passwd", handlePasswd)
 	r.HandleFunc("/picture/{name}", handleDownloadPicture)
@@ -118,16 +157,23 @@ func main() {
 	r.HandleFunc("/directory/search", handleDirectorySearch)
 	r.HandleFunc("/directory", handleDirectory)
 
+	r.HandleFunc("/website", handleWebsiteList)
+	r.HandleFunc("/website/new", handleWebsiteNew)
+	r.HandleFunc("/website/inspect/{bucket}", handleWebsiteInspect)
+	r.HandleFunc("/website/vhost/{bucket}", handleWebsiteVhost)
+
 	r.HandleFunc("/invite/new_account", handleInviteNewAccount)
 	r.HandleFunc("/invite/send_code", handleInviteSendCode)
 	r.HandleFunc("/invitation/{code}", handleInvitationCode)
 
 	r.HandleFunc("/admin/users", handleAdminUsers)
 	r.HandleFunc("/admin/groups", handleAdminGroups)
+	r.HandleFunc("/admin/mailing", handleAdminMailing)
+	r.HandleFunc("/admin/mailing/{id}", handleAdminMailingList)
 	r.HandleFunc("/admin/ldap/{dn}", handleAdminLDAP)
 	r.HandleFunc("/admin/create/{template}/{super_dn}", handleAdminCreate)
 
-	staticfiles := http.FileServer(http.Dir("static"))
+	staticfiles := http.FileServer(http.Dir(staticPath))
 	r.Handle("/static/{file:.*}", http.StripPrefix("/static/", staticfiles))
 
 	log.Printf("Starting HTTP server on %s", config.HttpBindAddr)
@@ -137,31 +183,6 @@ func main() {
 	}
 }
 
-type LoginInfo struct {
-	Username string
-	DN       string
-	Password string
-}
-
-type LoginStatus struct {
-	Info      *LoginInfo
-	conn      *ldap.Conn
-	UserEntry *ldap.Entry
-	CanAdmin  bool
-	CanInvite bool
-}
-
-func (login *LoginStatus) WelcomeName() string {
-	ret := login.UserEntry.GetAttributeValue("givenname")
-	if ret == "" {
-		ret = login.UserEntry.GetAttributeValue("displayname")
-	}
-	if ret == "" {
-		ret = login.Info.Username
-	}
-	return ret
-}
-
 func logRequest(handler http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		log.Printf("%s %s %s\n", r.RemoteAddr, r.Method, r.URL)
@@ -169,148 +190,31 @@ func logRequest(handler http.Handler) http.Handler {
 	})
 }
 
-func checkLogin(w http.ResponseWriter, r *http.Request) *LoginStatus {
-	var login_info *LoginInfo
-
-	session, err := store.Get(r, SESSION_NAME)
-	if err == nil {
-		username, ok := session.Values["login_username"]
-		password, ok2 := session.Values["login_password"]
-		user_dn, ok3 := session.Values["login_dn"]
-
-		if ok && ok2 && ok3 {
-			login_info = &LoginInfo{
-				DN:       user_dn.(string),
-				Username: username.(string),
-				Password: password.(string),
-			}
-		}
-	}
-
-	if login_info == nil {
-		login_info = handleLogin(w, r)
-		if login_info == nil {
-			return nil
-		}
-	}
-
-	l := ldapOpen(w)
-	if l == nil {
-		return nil
-	}
-
-	err = l.Bind(login_info.DN, login_info.Password)
-	if err != nil {
-		delete(session.Values, "login_username")
-		delete(session.Values, "login_password")
-		delete(session.Values, "login_dn")
-
-		err = session.Save(r, w)
-		if err != nil {
-			http.Error(w, err.Error(), http.StatusInternalServerError)
-			return nil
-		}
-		return checkLogin(w, r)
-	}
-
-	loginStatus := &LoginStatus{
-		Info: login_info,
-		conn: l,
-	}
-
-	requestKind := "(objectClass=organizationalPerson)"
-	if strings.EqualFold(login_info.DN, config.AdminAccount) {
-		requestKind = "(objectclass=*)"
-	}
-	searchRequest := ldap.NewSearchRequest(
-		login_info.DN,
-		ldap.ScopeBaseObject, ldap.NeverDerefAliases, 0, 0, false,
-		requestKind,
-		[]string{
-			"dn",
-			"displayname",
-			"givenname",
-			"sn",
-			"mail",
-			"memberof",
-			"description",
-			FIELD_NAME_DIRECTORY_VISIBILITY,
-			FIELD_NAME_PROFILE_PICTURE,
-		},
-		nil)
-
-	sr, err := l.Search(searchRequest)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return nil
-	}
-
-	if len(sr.Entries) != 1 {
-		http.Error(w, fmt.Sprintf("Unable to find entry for %s", login_info.DN), http.StatusInternalServerError)
-		return nil
-	}
-
-	loginStatus.UserEntry = sr.Entries[0]
-
-	loginStatus.CanAdmin = strings.EqualFold(loginStatus.Info.DN, config.AdminAccount)
-	loginStatus.CanInvite = false
-	for _, attr := range loginStatus.UserEntry.Attributes {
-		if strings.EqualFold(attr.Name, "memberof") {
-			for _, group := range attr.Values {
-				if config.GroupCanInvite != "" && strings.EqualFold(group, config.GroupCanInvite) {
-					loginStatus.CanInvite = true
-				}
-				if config.GroupCanAdmin != "" && strings.EqualFold(group, config.GroupCanAdmin) {
-					loginStatus.CanAdmin = true
-				}
-			}
-		}
-	}
-
-	return loginStatus
-}
-
-func ldapOpen(w http.ResponseWriter) *ldap.Conn {
-	l, err := ldap.DialURL(config.LdapServerAddr)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return nil
-	}
-
-	if config.LdapTLS {
-		err = l.StartTLS(&tls.Config{InsecureSkipVerify: true})
-		if err != nil {
-			http.Error(w, err.Error(), http.StatusInternalServerError)
-			return nil
-		}
-	}
-
-	return l
-}
-
 // Page handlers ----
 
+// --- Home Controller
 type HomePageData struct {
-	Login  *LoginStatus
+	User   *LoggedUser
 	BaseDN string
 }
 
 func handleHome(w http.ResponseWriter, r *http.Request) {
-	templateHome := template.Must(template.ParseFiles("templates/layout.html", "templates/home.html"))
+	templateHome := getTemplate("home.html")
 
-	login := checkLogin(w, r)
+	user := RequireUserHtml(w, r)
-	if login == nil {
+	if user == nil {
 		return
 	}
 
 	data := &HomePageData{
-		Login:  login,
+		User:   user,
 		BaseDN: config.BaseDN,
 	}
 
 	templateHome.Execute(w, data)
 }
 
+// --- Logout Controller
 func handleLogout(w http.ResponseWriter, r *http.Request) {
 	session, err := store.Get(r, SESSION_NAME)
 	if err != nil {
@@ -327,9 +231,10 @@ func handleLogout(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	http.Redirect(w, r, "/", http.StatusFound)
+	http.Redirect(w, r, "/login", http.StatusFound)
 }
 
+// --- Login Controller ---
 type LoginFormData struct {
 	Username     string
 	WrongUser    bool
@@ -337,28 +242,26 @@ type LoginFormData struct {
 	ErrorMessage string
 }
 
-func handleLogin(w http.ResponseWriter, r *http.Request) *LoginInfo {
+func handleLogin(w http.ResponseWriter, r *http.Request) {
-	templateLogin := template.Must(template.ParseFiles("templates/layout.html", "templates/login.html"))
+	templateLogin := getTemplate("login.html")
 
 	if r.Method == "GET" {
 		templateLogin.Execute(w, LoginFormData{})
-		return nil
+		return
 	} else if r.Method == "POST" {
 		r.ParseForm()
 
 		username := strings.Join(r.Form["username"], "")
 		password := strings.Join(r.Form["password"], "")
-		user_dn := fmt.Sprintf("%s=%s,%s", config.UserNameAttr, username, config.UserBaseDN)
+		loginInfo := LoginInfo{username, password}
-		if strings.EqualFold(username, config.AdminAccount) {
+
-			user_dn = username
+		l, err := NewLdapCon()
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
 		}
 
-		l := ldapOpen(w)
+		err = l.Bind(loginInfo.DN(), loginInfo.Password)
-		if l == nil {
-			return nil
-		}
-
-		err := l.Bind(user_dn, password)
 		if err != nil {
 			data := &LoginFormData{
 				Username: username,
@@ -371,7 +274,7 @@ func handleLogin(w http.ResponseWriter, r *http.Request) *LoginInfo {
 				data.ErrorMessage = err.Error()
 			}
 			templateLogin.Execute(w, data)
-			return nil
+			return
 		}
 
 		// Successfully logged in, save it to session
@@ -382,21 +285,15 @@ func handleLogin(w http.ResponseWriter, r *http.Request) *LoginInfo {
 
 		session.Values["login_username"] = username
 		session.Values["login_password"] = password
-		session.Values["login_dn"] = user_dn
 
 		err = session.Save(r, w)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
-			return nil
+			return
 		}
 
-		return &LoginInfo{
+		http.Redirect(w, r, "/", http.StatusFound)
-			DN:       user_dn,
-			Username: username,
-			Password: password,
-		}
 	} else {
 		http.Error(w, "Unsupported method", http.StatusBadRequest)
-		return nil
 	}
 }

picture.go

@@ -44,7 +44,7 @@ func newMinioClient() (*minio.Client, error) {
 }
 
 // Upload image through guichet server.
-func uploadProfilePicture(w http.ResponseWriter, r *http.Request, login *LoginStatus) (string, error) {
+func uploadProfilePicture(w http.ResponseWriter, r *http.Request, user *LoggedUser) (string, error) {
 	file, _, err := r.FormFile("image")
 
 	if err == http.ErrMissingFile {
@@ -74,7 +74,7 @@ func uploadProfilePicture(w http.ResponseWriter, r *http.Request, login *LoginSt
 
 	// If a previous profile picture existed, delete it
 	// (don't care about errors)
-	if nameConsul := login.UserEntry.GetAttributeValue(FIELD_NAME_PROFILE_PICTURE); nameConsul != "" {
+	if nameConsul := user.Entry.GetAttributeValue(FIELD_NAME_PROFILE_PICTURE); nameConsul != "" {
 		mc.RemoveObject(context.Background(), config.S3Bucket, nameConsul, minio.RemoveObjectOptions{})
 		mc.RemoveObject(context.Background(), config.S3Bucket, nameConsul+"-thumb", minio.RemoveObjectOptions{})
 	}
@@ -144,9 +144,9 @@ func resizePicture(file multipart.File, buffFull, buffThumb *bytes.Buffer) error
 func handleDownloadPicture(w http.ResponseWriter, r *http.Request) {
 	name := mux.Vars(r)["name"]
 
-	//Check login
+	// Get user
-	login := checkLogin(w, r)
+	user := RequireUserHtml(w, r)
-	if login == nil {
+	if user == nil {
 		return
 	}
 

profile.go

@@ -1,7 +1,6 @@
 package main
 
 import (
-	"html/template"
 	"net/http"
 	"strings"
 
@@ -9,7 +8,7 @@ import (
 )
 
 type ProfileTplData struct {
-	Status         *LoginStatus
+	User           *LoggedUser
 	ErrorMessage   string
 	Success        bool
 	Mail           string
@@ -22,26 +21,26 @@ type ProfileTplData struct {
 }
 
 func handleProfile(w http.ResponseWriter, r *http.Request) {
-	templateProfile := template.Must(template.ParseFiles("templates/layout.html", "templates/profile.html"))
+	templateProfile := getTemplate("profile.html")
 
-	login := checkLogin(w, r)
+	user := RequireUserHtml(w, r)
-	if login == nil {
+	if user == nil {
 		return
 	}
 
 	data := &ProfileTplData{
-		Status:       login,
+		User:         user,
 		ErrorMessage: "",
 		Success:      false,
 	}
 
-	data.Mail = login.UserEntry.GetAttributeValue("mail")
+	data.Mail = user.Entry.GetAttributeValue("mail")
-	data.DisplayName = login.UserEntry.GetAttributeValue("displayname")
+	data.DisplayName = user.Entry.GetAttributeValue("displayname")
-	data.GivenName = login.UserEntry.GetAttributeValue("givenname")
+	data.GivenName = user.Entry.GetAttributeValue("givenname")
-	data.Surname = login.UserEntry.GetAttributeValue("sn")
+	data.Surname = user.Entry.GetAttributeValue("sn")
-	data.Visibility = login.UserEntry.GetAttributeValue(FIELD_NAME_DIRECTORY_VISIBILITY)
+	data.Visibility = user.Entry.GetAttributeValue(FIELD_NAME_DIRECTORY_VISIBILITY)
-	data.Description = login.UserEntry.GetAttributeValue("description")
+	data.Description = user.Entry.GetAttributeValue("description")
-	data.ProfilePicture = login.UserEntry.GetAttributeValue(FIELD_NAME_PROFILE_PICTURE)
+	data.ProfilePicture = user.Entry.GetAttributeValue(FIELD_NAME_PROFILE_PICTURE)
 
 	if r.Method == "POST" {
 		//5MB maximum size files
@@ -57,7 +56,7 @@ func handleProfile(w http.ResponseWriter, r *http.Request) {
 		}
 		data.Visibility = visible
 
-		profilePicture, err := uploadProfilePicture(w, r, login)
+		profilePicture, err := uploadProfilePicture(w, r, user)
 		if err != nil {
 			data.ErrorMessage = err.Error()
 		}
@@ -66,7 +65,7 @@ func handleProfile(w http.ResponseWriter, r *http.Request) {
 			data.ProfilePicture = profilePicture
 		}
 
-		modify_request := ldap.NewModifyRequest(login.Info.DN, nil)
+		modify_request := ldap.NewModifyRequest(user.Login.Info.DN(), nil)
 		modify_request.Replace("displayname", []string{data.DisplayName})
 		modify_request.Replace("givenname", []string{data.GivenName})
 		modify_request.Replace("sn", []string{data.Surname})
@@ -76,7 +75,7 @@ func handleProfile(w http.ResponseWriter, r *http.Request) {
 			modify_request.Replace(FIELD_NAME_PROFILE_PICTURE, []string{data.ProfilePicture})
 		}
 
-		err = login.conn.Modify(modify_request)
+		err = user.Login.conn.Modify(modify_request)
 		if err != nil {
 			data.ErrorMessage = err.Error()
 		} else {
@@ -89,7 +88,7 @@ func handleProfile(w http.ResponseWriter, r *http.Request) {
 }
 
 type PasswdTplData struct {
-	Status        *LoginStatus
+	User          *LoggedUser
 	ErrorMessage  string
 	TooShortError bool
 	NoMatchError  bool
@@ -97,15 +96,15 @@ type PasswdTplData struct {
 }
 
 func handlePasswd(w http.ResponseWriter, r *http.Request) {
-	templatePasswd := template.Must(template.ParseFiles("templates/layout.html", "templates/passwd.html"))
+	templatePasswd := getTemplate("passwd.html")
 
-	login := checkLogin(w, r)
+	user := RequireUserHtml(w, r)
-	if login == nil {
+	if user == nil {
 		return
 	}
 
 	data := &PasswdTplData{
-		Status:       login,
+		User:         user,
 		ErrorMessage: "",
 		Success:      false,
 	}
@@ -121,14 +120,19 @@ func handlePasswd(w http.ResponseWriter, r *http.Request) {
 		} else if password2 != password {
 			data.NoMatchError = true
 		} else {
-			modify_request := ldap.NewModifyRequest(login.Info.DN, nil)
+			modify_request := ldap.NewModifyRequest(user.Login.Info.DN(), nil)
-			modify_request.Replace("userpassword", []string{SSHAEncode([]byte(password))})
+			pw, err := SSHAEncode(password)
-			err := login.conn.Modify(modify_request)
+			if err == nil {
+				modify_request.Replace("userpassword", []string{pw})
+				err := user.Login.conn.Modify(modify_request)
 				if err != nil {
 					data.ErrorMessage = err.Error()
 				} else {
 					data.Success = true
 				}
+			} else {
+				data.ErrorMessage = err.Error()
+			}
 		}
 	}
 

quotas.go

@@ -0,0 +1,151 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"strconv"
+
+	garage "git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-golang"
+	"github.com/go-ldap/ldap/v3"
+)
+
+const (
+	// --- Default Quota Values ---
+	QUOTA_WEBSITE_SIZE_DEFAULT = 1024 * 1024 * 50  // 50MB
+	QUOTA_WEBSITE_SIZE_BURSTED = 1024 * 1024 * 200 // 200MB
+	QUOTA_WEBSITE_OBJECTS      = 10000             // 10k objects
+	QUOTA_WEBSITE_COUNT        = 5                 // 5 buckets
+
+	// --- Per-user overridable fields ---
+	FIELD_QUOTA_WEBSITE_SIZE_BURSTED = "quota_website_size_bursted"
+	FIELD_QUOTA_WEBSITE_COUNT        = "quota_website_count"
+)
+
+type UserQuota struct {
+	WebsiteCount       int64
+	WebsiteSizeDefault int64
+	WebsiteSizeBursted int64
+	WebsiteObjects     int64
+}
+
+func NewUserQuota() *UserQuota {
+	return &UserQuota{
+		WebsiteCount:       QUOTA_WEBSITE_COUNT,
+		WebsiteSizeDefault: QUOTA_WEBSITE_SIZE_DEFAULT,
+		WebsiteSizeBursted: QUOTA_WEBSITE_SIZE_BURSTED,
+		WebsiteObjects:     QUOTA_WEBSITE_OBJECTS,
+	}
+}
+
+var (
+	ErrQuotaEmpty   = fmt.Errorf("No quota is defined for this entry")
+	ErrQuotaInvalid = fmt.Errorf("The defined quota can't be parsed")
+)
+
+func entryToQuota(entry *ldap.Entry, field string) (int64, error) {
+	f := entry.GetAttributeValue(field)
+	if f == "" {
+		return -1, ErrQuotaEmpty
+	}
+
+	q, err := strconv.ParseInt(f, 10, 64)
+	if err != nil {
+		return -1, errors.Join(ErrQuotaInvalid, err)
+	}
+	return q, nil
+}
+
+func NewUserQuotaFromEntry(entry *ldap.Entry) *UserQuota {
+	quotas := NewUserQuota()
+
+	if q, err := entryToQuota(entry, FIELD_QUOTA_WEBSITE_COUNT); err == nil {
+		quotas.WebsiteCount = q
+	}
+
+	if q, err := entryToQuota(entry, FIELD_QUOTA_WEBSITE_SIZE_BURSTED); err == nil {
+		quotas.WebsiteSizeBursted = q
+	}
+
+	return quotas
+}
+
+func (q *UserQuota) DefaultWebsiteQuota() *garage.UpdateBucketRequestQuotas {
+	qr := garage.NewUpdateBucketRequestQuotas()
+
+	qr.SetMaxSize(q.WebsiteSizeDefault)
+	qr.SetMaxObjects(q.WebsiteSizeBursted)
+
+	return qr
+}
+
+func (q *UserQuota) WebsiteSizeAdjust(sz int64) int64 {
+	if sz < q.WebsiteSizeDefault {
+		return q.WebsiteSizeDefault
+	} else if sz > q.WebsiteSizeBursted {
+		return q.WebsiteSizeBursted
+	} else {
+		return sz
+	}
+}
+
+func (q *UserQuota) WebsiteObjectAdjust(objs int64) int64 {
+	if objs > q.WebsiteObjects || objs <= 0 {
+		return q.WebsiteObjects
+	} else {
+		return objs
+	}
+}
+
+func (q *UserQuota) WebsiteSizeBurstedPretty() string {
+	return prettyValue(q.WebsiteSizeBursted)
+}
+
+// --- A quota stat we can use
+type QuotaStat struct {
+	Current   int64   `json:"current"`
+	Max       int64   `json:"max"`
+	Ratio     float64 `json:"ratio"`
+	Burstable bool    `json:"burstable"`
+}
+
+func NewQuotaStat(current, max int64, burstable bool) QuotaStat {
+	return QuotaStat{
+		Current:   current,
+		Max:       max,
+		Ratio:     float64(current) / float64(max),
+		Burstable: burstable,
+	}
+}
+func (q *QuotaStat) IsFull() bool {
+	return q.Current >= q.Max
+}
+func (q *QuotaStat) Percent() int64 {
+	return int64(q.Ratio * 100)
+}
+
+func (q *QuotaStat) PrettyCurrent() string {
+	return prettyValue(q.Current)
+}
+func (q *QuotaStat) PrettyMax() string {
+	return prettyValue(q.Max)
+}
+
+func prettyValue(v int64) string {
+	if v < 1024 {
+		return fmt.Sprintf("%d octets", v)
+	}
+	v = v / 1024
+	if v < 1024 {
+		return fmt.Sprintf("%d kio", v)
+	}
+	v = v / 1024
+	if v < 1024 {
+		return fmt.Sprintf("%d Mio", v)
+	}
+	v = v / 1024
+	if v < 1024 {
+		return fmt.Sprintf("%d Gio", v)
+	}
+	v = v / 1024
+	return fmt.Sprintf("%d Tio", v)
+}

ssha.go

@@ -1,37 +1,10 @@
 package main
 
 import (
-	"crypto/rand"
+	"github.com/jsimonetti/pwscheme/ssha512"
-	"crypto/sha1"
-	"encoding/base64"
-	"fmt"
-
-	log "github.com/sirupsen/logrus"
 )
 
 // Encode encodes the []byte of raw password
-func SSHAEncode(rawPassPhrase []byte) string {
+func SSHAEncode(rawPassPhrase string) (string, error) {
-	hash := makeSSHAHash(rawPassPhrase, makeSalt())
+	return ssha512.Generate(rawPassPhrase, 16)
-	b64 := base64.StdEncoding.EncodeToString(hash)
-	return fmt.Sprintf("{ssha}%s", b64)
-}
-
-// makeSalt make a 32 byte array containing random bytes.
-func makeSalt() []byte {
-	sbytes := make([]byte, 32)
-	_, err := rand.Read(sbytes)
-	if err != nil {
-		log.Panicf("Could not read random bytes: %s", err)
-	}
-	return sbytes
-}
-
-// makeSSHAHash make hasing using SHA-1 with salt. This is not the final output though. You need to append {SSHA} string with base64 of this hash.
-func makeSSHAHash(passphrase, salt []byte) []byte {
-	sha := sha1.New()
-	sha.Write(passphrase)
-	sha.Write(salt)
-
-	h := sha.Sum(nil)
-	return append(h, salt...)
 }

templates/admin_create.html

@@ -30,10 +30,17 @@
     <input type="text" disabled="true" class="form-control" value="{{ .SuperDN }}" />
   </div>
   -->
+  {{if eq .Template "ml"}}
+    <div class="form-group">
+      <label for="idvalue">Adresse complète de la mailing list :</label>
+      <input type="text" id="idvalue" name="idvalue" class="form-control" value="{{ .IdValue }}" placeholder="example@deuxfleurs.fr" />
+    </div>
+  {{else}}
     <div class="form-group">
         <label for="idvalue">Identifiant :</label>
       <input type="text" id="idvalue" name="idvalue" class="form-control" value="{{ .IdValue }}" />
     </div>
+  {{end}}
   <div class="form-group">
     <label for="idtype">Type d'identifiant :</label>
     <input type="text" {{if .Template}}disabled="disabled"{{end}} id="idtype" name="idtype" class="form-control" value="{{ .IdType }}" />

templates/admin_groups.html

@@ -8,6 +8,11 @@
   <a class="ml-4 btn btn-info" href="/">Menu principal</a>
 </div>
 
+<div class="alert alert-warning mt-4">
+    Les groupes servent uniquement à contrôler l'accès à différentes fonctionalités de Deuxfleurs.
+    Ce ne sont pas des <a href="/admin/mailing">mailing lists</a>.
+</div>
+
 <table class="table mt-4">
   <thead>
     <th scope="col">Identifiant</th>

templates/admin_ldap.html

@@ -23,7 +23,17 @@
 
 <table class="table mt-4">
   <tbody>
-    {{range .Children}}
+    {{range .ChildrenOU}}
+        <tr>
+          <td>
+            <a href="/admin/ldap/{{.DN}}">
+              🗀 {{.Identifier}}
+            </a>
+          </td>
+          <td>{{.Name}}</td>
+        </tr>
+    {{end}}
+    {{range .ChildrenOther}}
         <tr>
           <td>
             <a href="/admin/ldap/{{.DN}}">
@@ -94,8 +104,12 @@
           <div class="col-md-3"><strong>{{$key}}</strong></div>
           <div class="col-md-9">
           {{range $value.Values}}
+            {{if eq $key "creatorsname" "modifiersname" }}
+              <div><a href="/admin/ldap/{{.}}">{{.}}</a></div>
+            {{else}}
               <div>{{.}}</div>
             {{end}}
+          {{end}}
           </div>
         </div>
       {{end}}

templates/admin_mailing.html

@@ -0,0 +1,32 @@
+{{define "title"}}Mailing lists |{{end}}
+
+{{define "body"}}
+
+<div class="d-flex">
+  <h4>Mailing lists</h4>
+  <a class="ml-auto btn btn-success" href="/admin/create/ml/{{.MailingBaseDN}}">Nouvelle mailing list</a>
+  <a class="ml-4 btn btn-info" href="/">Menu principal</a>
+</div>
+
+<table class="table mt-4">
+  <thead>
+    <th scope="col">Adresse</th>
+    <th scope="col">Description</th>
+  </thead>
+  <tbody>
+    {{with $root := .}}
+      {{range $ml := $root.MailingLists}}
+        <tr>
+          <td>
+            <a href="/admin/mailing/{{$ml.GetAttributeValue $root.MailingNameAttr}}">
+              {{$ml.GetAttributeValue $root.MailingNameAttr}}
+            </a>
+          </td>
+          <td>{{$ml.GetAttributeValue "description"}}</td>
+        </tr>
+      {{end}}
+    {{end}}
+  </tbody>
+</table>
+
+{{end}}

templates/admin_mailing_list.html

@@ -0,0 +1,117 @@
+{{define "title"}}ML {{.MailingList.GetAttributeValue .MailingNameAttr}} |{{end}}
+
+{{define "body"}}
+
+<div class="d-flex">
+  <h4>ML {{.MailingList.GetAttributeValue .MailingNameAttr}}
+    <a class="ml-auto btn btn-sm btn-dark" href="/admin/ldap/{{.MailingList.DN}}">Vue avancée</a>
+  </h4>
+  <a class="ml-auto btn btn-dark" href="/admin/mailing">Liste des ML</a>
+  <a class="ml-4 btn btn-info" href="/">Menu principal</a>
+</div>
+
+{{if .Success}}
+  <div class="alert alert-success mt-2">Modification enregistrée.</div>
+{{end}}
+{{if .Error}}
+  <div class="alert alert-danger mt-2">
+    Impossible d'effectuer la modification.
+    <div style="font-size: 0.8em">{{.Error}}</div>
+  </div>
+{{end}}
+
+{{with $desc := .MailingList.GetAttributeValue "description"}}{{if $desc}}
+  <p class="mt-4">{{$desc}}</p>
+{{end}}{{end}}
+
+<table class="table mt-4">
+  <thead>
+    <th scope="col">Adresse</th>
+    <th scope="col">Nom</th>
+    <th scope="col" style="width: 6em"></th>
+  </thead>
+  <tbody>
+    {{with $root := .}}
+      {{range $member := $root.Members}}
+        <tr>
+          <td>
+            <a href="/admin/ldap/{{$member.DN}}">
+              {{$member.GetAttributeValue "mail"}}
+            </a>
+          </td>
+          <td>{{$member.GetAttributeValue "displayname"}}</td>
+          <td>
+            <form method="POST" onsubmit="return confirm('Supprimer de la ML ?');">
+              <input type="hidden" name="action" value="delete-member" />
+              <input type="hidden" name="member" value="{{.DN}}" />
+              <input type="submit" value="Suppr" class="form-control btn btn-danger btn-sm" />
+            </form>
+          </td>
+        </tr>
+      {{end}}
+    {{end}}
+    {{if not .Members}}
+      <tr><td>(aucun abonné)</td></tr>
+    {{end}}
+  </tbody>
+</table>
+
+<hr class="mt-4" />
+<h5 class="mt-4">Ajouter un destinataire</h5>
+
+<div class="container">
+  <form method="POST">
+    <input type="hidden" name="action" value="add-member" />
+    <div class="row mt-4">
+      <div class="col-md-3"><strong>Utilisateur existant :</strong> </div>
+      <div class="col-md-5">
+        <input class="form-control" type="text" list="users" name="member" placeholder="Utilisateur..." />
+        <datalist id="users">
+          {{range .PossibleNewMembers}}
+            {{if .GetAttributeValue "mail"}}
+              <option value="{{.DN}}">{{if .GetAttributeValue "displayname"}}{{.GetAttributeValue "displayname"}} ({{.GetAttributeValue "mail" }}){{else}}{{.GetAttributeValue "mail"}}{{end}}</option>
+            {{end}}
+          {{end}}
+        </datalist>
+      </div>
+      <div class="col-md-2">
+        <input type="submit" value="Ajouter" class="form-control btn btn-success btn-sm" />
+      </div>
+    </div>
+  </form>
+
+  {{if .AllowGuest}}
+  <div class="row mt-4">
+    <div class="col-md-10">OU</div>
+  </div>
+
+  <form method="POST">
+    <input type="hidden" name="action" value="add-external" />
+    <div class="row mt-4">
+      <div class="col-md-3"><strong>E-mail :</strong></div>
+      <div class="col-md-5">
+        <input class="form-control" type="text"  name="mail" placeholder="machin@truc.net..." />
+      </div>
+      <div class="col-md-2">
+      </div>
+    </div>
+    <div class="row mt-4">
+      <div class="col-md-3"><strong>Nom (optionnel) :</strong></div>
+      <div class="col-md-5">
+        <input class="form-control" type="text"  name="displayname" placeholder="Machin Truc..." />
+      </div>
+      <div class="col-md-2">
+        <input type="submit" value="Ajouter" class="form-control btn btn-success btn-sm" />
+      </div>
+    </div>
+    <div class="row">
+      <small class="form-text text-muted col-md-10">
+        Si un utilisateur existe déjà avec l'email spécifiée, celui-ci sera ajouté à la liste.
+        Sinon, un utilisateur invité sera créé.
+      </small>
+    </div>
+  </form>
+  {{end}}
+</div>
+
+{{end}}

templates/garage_website_edit.html

@@ -0,0 +1,72 @@
+{{define "title"}}Créer un site web |{{end}}
+
+{{define "body"}}
+<div class="d-flex">
+    <h4>Modifier le nom de domaine</h4>
+    <a class="ml-auto btn btn-link" href="/website/configure">Mes identifiants</a>
+    <a class="ml-4 btn btn-info" href="/website">Mes sites webs</a>
+</div>
+
+<div class="row mt-3">
+	<div class="col-md-12">
+	{{if .Err}}
+		<div class="alert alert-danger">{{ .Err.Error }}</div>
+  	{{end}}
+	</div>
+</div>
+
+<ul class="nav nav-tabs" id="proto" role="tablist">
+    <li class="nav-item">
+        <a class="nav-link active" id="dnsint-tab" data-toggle="tab" href="#dnsint" role="tab" aria-controls="dnsint" aria-selected="true">Je n'ai pas de nom de domaine</a>
+    </li>
+    <li class="nav-item">
+        <a class="nav-link" id="dnsext-tab" data-toggle="tab" href="#dnsext" role="tab" aria-controls="dnsext" aria-selected="false">Utiliser mon propre nom de domaine</a>
+    </li>
+</ul>
+
+<div class="tab-content" id="protocols">
+
+    <div class="tab-pane fade show active" id="dnsint" role="tabpanel" aria-labelledby="dnsint-tab">
+        <form method="POST" class="mt-4">
+            <div class="form-row">
+                <div class="form-group col-md-6">
+                    <label for="bucket">Sous-domaine désiré :</label>
+                    <input type="text" id="bucket" name="bucket" placeholder="mon-site" class="form-control" value="" onkeyup="document.getElementById('url').value = `https://${document.getElementById('bucket').value}.web.deuxfleurs.fr`" />
+                </div>
+                <div class="form-group col-md-6">
+                    <label for="url">Votre site sera accessible à l'URL suivante :</label>
+                    <input type="text" id="url" disabled="true" name="url" class="form-control" value="https://mon-site.web.deuxfleurs.fr" />
+                </div>
+            </div>
+            <div class="mt-4">
+                <p>La première fois que vous chargerez votre site web, une erreur de certificat sera renvoyée. C'est normal, il faudra patienter quelques minutes le temps que le certificat se génère.</p>
+            </div>
+            <button type="submit" class="btn btn-primary">Modifier le nom de domaine</button>
+        </form>
+    </div>
+    <div class="tab-pane fade show" id="dnsext" role="tabpanel" aria-labelledby="dnsext-tab">
+        <form method="POST" class="mt-4">
+            <div class="form-row">
+                <div class="form-group col-md-6">
+                    <label for="bucket2">Votre nom de domaine :</label>
+                    <input type="text" id="bucket2" name="bucket2" placeholder="example.com" class="form-control" value="" onkeyup="document.getElementById('url2').value = `https://${document.getElementById('bucket2').value}`" />
+                </div>
+                <div class="form-group col-md-6">
+                    <label for="url2">Votre site sera accessible à l'URL suivante :</label>
+                    <input type="text" id="url2" disabled="true" name="url2" class="form-control" value="https://example.com" />
+                </div>
+            </div>
+            <div>
+                <p>Vous devez éditer votre zone DNS, souvent gérée par votre bureau d'enregistrement, comme Gandi, pour la faire pointer vers Deuxfleurs. Si vous utilisez un sous domaine (eg. <code>site.example.com</code>), une entrée <code>CNAME</code> est appropriée :</p>
+                <pre>site   CNAME    3600    garage.deuxfleurs.fr.</pre>
+                <p>Si vous utilisez la racine de votre nom de domaine (eg. <code>example.com</code>, aussi appelée APEX), la solution dépend de votre fournisseur DNS, il vous faudra au choix une entrée <code>ALIAS</code> ou <code>CNAME</code> en fonction de ce que votre fournisseur supporte :</p>
+                <pre>@      ALIAS    3600    garage.deuxfleurs.fr.</pre>
+                <p>La première fois que vous chargerez votre site web, une erreur de certificat sera renvoyée. C'est normal, il faudra patienter quelques minutes le temps que le certificat se génère.</p>
+            </div>
+            <div class="mt-4">
+            <button type="submit" class="btn btn-primary">Modifier le nom de domaine</button>
+        </form>
+
+    </div>
+</div>
+{{end}}

templates/garage_website_inspect.html

@@ -0,0 +1,355 @@
+{{define "title"}}Inspecter le site web |{{end}}
+
+{{define "body"}}
+<div class="d-flex">
+	<!--<h4>Inspecter les sites webs</h4>-->
+	<a class="ml-auto btn btn-link" href="/website/configure">Mes identifiants</a>
+	<a class="ml-4 btn btn-info" href="/">Menu principal</a>
+</div>
+
+<div class="row">
+	{{ if .Err }}
+	<div class="col-md-12 mt-3">
+		<div class="alert alert-danger">{{ .Err.Error }}</div>
+	</div>
+	{{ end }}
+
+	<div class="col-md-3 mt-3">
+		<a class="btn btn-primary btn-block" href="/website/new">
+			<svg id="i-plus" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32" width="18" height="18" fill="none" stroke="currentcolor" stroke-linecap="round" stroke-linejoin="round" stroke-width="6">
+				<path d="M16 2 L16 30 M2 16 L30 16" />
+			</svg>
+			<span class="ml-1">Nouveau site web</span>
+		</a>
+
+		<div class="list-group mt-3">
+			{{ $view := .View }}
+			{{ range $wid := .Describe.Websites }}
+			{{ if eq $wid.Internal $view.Name.Internal }}
+			<a href="/website/inspect/{{ $wid.Pretty }}" class="list-group-item list-group-item-action active">
+				{{ $wid.Url }}
+			</a>
+			{{ else }}
+			<a href="/website/inspect/{{ $wid.Pretty }}" class="list-group-item list-group-item-action">
+				{{ $wid.Url }}
+			</a>
+			{{ end }}
+			{{ end }}
+		</div>
+
+		<p class="text-center mt-2">
+		{{ .Describe.AllowedWebsites.Current }} sites créés sur {{ .Describe.AllowedWebsites.Max }}<br/>
+		Jusqu'à {{ .Describe.BurstBucketQuotaSize }} par site web
+		</p>
+	</div>
+	<div class="col-md-9">
+		<h2>{{ .View.Name.Url }}</h2>
+
+		<!-- QUOTAS -->
+
+		<h5 class="mt-3">Quotas</h5>
+		<div class="progress mt-3">
+			<div class="progress-bar" role="progressbar" aria-valuenow="{{ .View.Size.Current }}" aria-valuemin="0" aria-valuemax="{{ .View.Size.Max }}" style="width: {{ .View.Size.Percent }}%; min-width: 2em;">
+				{{ .View.Size.Percent }}%
+			</div>
+		</div>
+
+		<p class="text-center">
+		{{ .View.Size.PrettyCurrent }} utilisé sur un maximum de {{ .View.Size.PrettyMax }}
+		{{ if gt .View.Files.Ratio 0.5 }}
+		<br>{{ .View.Files.Current }} fichiers sur un maximum de {{ .View.Files.Max }}
+		{{ end }}
+		</p>
+
+		<!-- ACTIONS -->
+		<h5 class="mt-3">Actions</h5>
+		<form action="" method="post">
+			<div class="btn-group" role="group" aria-label="Actions sur le site web">
+				<button class="btn btn-secondary" name="action" value="increase_quota">Augmenter le quota</button>
+				<button class="btn btn-secondary" name="action" value="rotate_key">Rotation de la clé</button>
+				<a class="btn btn-secondary" href="/website/vhost/{{ .View.Name.Pretty }}">Changer le nom de domaine</a>
+				<button class="btn btn-danger" name="action" value="delete_bucket">Supprimer</button>
+			</div>
+		</form>
+
+
+		<!-- INFO -->
+		<h5 class="mt-3">Informations de connexion</h5>
+		<ul class="nav nav-tabs" id="proto" role="tablist">
+			<li class="nav-item">
+				<a class="nav-link active" id="s3-tab" data-toggle="tab" href="#s3" role="tab" aria-controls="s3" aria-selected="true">S3 (recommandé)</a>
+			</li>
+			<li class="nav-item">
+				<a class="nav-link" id="sftp-tab" data-toggle="tab" href="#sftp" role="tab" aria-controls="sftp" aria-selected="false">SFTP</a>
+			</li>
+			<li class="nav-item">
+				<a class="nav-link" id="dav-tab" data-toggle="tab" href="#dav" role="tab" aria-controls="dav" aria-selected="false">WebDAV</a>
+			</li>
+		</ul>
+		<div class="tab-content" id="protocols">
+			<div class="tab-pane fade show active" id="s3" role="tabpanel" aria-labelledby="s3-tab">
+				<table class="table mt-4">
+					<tbody>
+						<tr>
+							<th scope="row" class="col-md-2">Identifiant de clé</th>
+							<td>{{ .View.AccessKeyId }}</td>
+						</tr>
+						<tr>
+							<th scope="row">Clé secrète</th>
+							<td>
+								<a href="#" onclick="document.getElementById('secret_key').style.display='inline'; this.style.display='none'">[Afficher la clé secrète]</a>
+								<span id="secret_key" style="display: none">{{ .View.SecretAccessKey }}</span>
+							</td>
+						</tr>
+						<tr>
+							<th scope="row">Région</th>
+							<td>garage</td>
+						</tr>
+						<tr>
+							<th scope="row">Endpoint URL</th>
+							<td>https://garage.deuxfleurs.fr</td>
+						</tr>
+						<tr>
+							<th scope="row">Type d'URL</th>
+							<td>DNS et chemin (préférer chemin)</td>
+						</tr>
+						<tr>
+							<th scope="row">Signature</th>
+							<td>Version 4</td>
+						</tr>
+					</tbody>
+				</table>
+
+				<p>Configurer votre logiciel :</p>
+
+				<div class="accordion" id="softconfig">
+					<div class="card">
+						<div class="card-header" id="awscli-title">
+							<h2 class="mb-0">
+								<button class="btn btn-link btn-block text-left collapsed" type="button" data-toggle="collapse" data-target="#awscli" aria-expanded="false" aria-controls="awscli">
+									awscli (tout générateur de site statique)
+								</button>
+							</h2>
+						</div>
+						<div id="awscli" class="collapse show" aria-labelledby="awscli-title" data-parent="#softconfig">
+							<div class="card-body">
+								<p>Lancez la commande :</p>
+								<pre>aws --profile {{ .View.Name.Pretty }} configure</pre>
+
+								<p>Entrez les informations suivantes quand elles vous sont demandées :</p>
+								<dl>
+									<dt>AWS Access Key ID [None]:</dt><dd>{{ .View.AccessKeyId }}</dd>
+									<dt>AWS Secret Access Key [None]:</dt><dd><a href="#" onclick="document.getElementById('aws_secret_key').style.display='inline'; this.style.display='none'">[Afficher la clé secrète]</a><span id="aws_secret_key" style="display: none">{{ .View.SecretAccessKey }}</span></dd>
+									<dt>Default region name [None]:</dt> <dd>garage</dd>
+									<dt>Default output format [None]:</dt> <dd>(laissez vide et appuyez sur entrée)</dd>
+								</dl>
+
+								<p>Finalisez la configuration :</p>
+								<pre>aws --profile {{ .View.Name.Pretty }} configure set endpoint_url https://garage.deuxfleurs.fr</pre>
+
+
+								<p>Pour déployer votre dossier local <code>public</code> lancez :</p>
+								<pre>
+aws --profile {{ .View.Name.Pretty }} s3 sync ./public s3://{{ .View.Name.Pretty }}
+								</pre>
+							</div>
+						</div>
+					</div>
+
+					<div class="card">
+						<div class="card-header" id="minio-title">
+							<h2 class="mb-0">
+								<button class="btn btn-link btn-block text-left" type="button" data-toggle="collapse" data-target="#minio" aria-expanded="true" aria-controls="minio">
+									Minio CLI (tout générateur de site statique)
+								</button>
+							</h2>
+						</div>
+
+						<div id="minio" class="collapse" aria-labelledby="minio-title" data-parent="#softconfig">
+							<div class="card-body">
+								<p>Vous pouvez configurer Minio CLI avec cette commande :</p>
+								<pre>
+mc alias set \
+  {{ .View.Name.Pretty }} \
+  https://garage.deuxfleurs.fr \
+  {{ .View.AccessKeyId }} \
+  <a href="#" onclick="document.getElementById('minio_secret_key').style.display='inline'; this.style.display='none'">[Afficher la clé secrète]</a><span id="minio_secret_key" style="display: none">{{ .View.SecretAccessKey }}</span> \
+  --api S3v4
+								</pre>
+								<p>Et ensuite copiez votre site web avec la sous-commande mirror de Minio CLI :</p>
+								<pre>
+mc mirror --overwrite ./public/ {{ .View.Name.Pretty }}/
+								</pre>
+							</div>
+						</div>
+					</div>
+
+					<div class="card">
+						<div class="card-header" id="hugo-title">
+							<h2 class="mb-0">
+								<button class="btn btn-link btn-block text-left collapsed" type="button" data-toggle="collapse" data-target="#hugo" aria-expanded="false" aria-controls="hugo">
+									Hugo
+								</button>
+							</h2>
+						</div>
+						<div id="hugo" class="collapse" aria-labelledby="hugo-title" data-parent="#softconfig">
+							<div class="card-body">
+								<p>Créez un fichier nommé <code>.deployment.secrets</code> (ne commitez pas ce fichier dans votre dépôt !) :</p>
+								<pre>
+export AWS_ACCESS_KEY_ID={{ .View.AccessKeyId }}
+export AWS_SECRET_ACCESS_KEY=<a href="#" onclick="document.getElementById('ugo_secret_key').style.display='inline'; this.style.display='none'">[Afficher la clé secrète]</a><span id="hugo_secret_key" style="display: none">{{ .View.SecretAccessKey }}</span>
+								</pre>
+								<p>Dans votre fichier de configuration Hugo <code>config.toml</code> (que vous pouvez commiter), rajoutez :</p>
+								<pre>
+[[deployment.targets]]
+ URL = "s3://bucket?endpoint=garage.deuxfleurs.fr&amp;s3ForcePathStyle=true&amp;region=garage"
+								</pre>
+
+								<p>Pour déployer, sourcez le fichier de configuration et laissez hugo faire : </p>
+								<pre>
+source .deployment.secrets
+hugo deploy
+								</pre>
+							</div>
+						</div>
+					</div>
+				</div>
+			</div>
+
+			<div class="tab-pane fade" id="sftp" role="tabpanel" aria-labelledby="sftp-tab">
+				<br>
+				<div class="alert alert-danger" role="alert">
+					N'automatisez pas votre déploiement en SFTP car vous risqueriez de faire fuiter votre mot de passe.<br>
+					Pour toute forme d'automatisation, préférez le protocole S3.
+				</div>
+				<div class="alert alert-warning" role="alert">
+					L'algorithme de clé utilisé par le serveur est désactivé par défaut sur les clients SSH récents.<br>
+					Vous devez rajouter l'option -oHostKeyAlgorithms=+ssh-rsa pour vous connecter.
+				</div>
+
+				<table class="table mt-4">
+					<tbody>
+						<tr>
+							<th scope="row">Nom d'utilisateur-ice</th>
+							<td>{{ .Describe.Username }}</td>
+						</tr>
+						<tr>
+							<th scope="row">Mot de passe</th>
+							<td>(votre mot de passe guichet)</td>
+						</tr>
+						<tr>
+							<th scope="row">Hôte</th>
+							<td>sftp://sftp.deuxfleurs.fr</td>
+						</tr>
+						<tr>
+							<th scope="row">Port</th>
+							<td>2222</td>
+						</tr>
+					</tbody>
+				</table>
+				<p>Configurez votre logiciel :</p>
+
+				<div class="accordion" id="softconfig2">
+					<div class="card">
+						<div class="card-header" id="scp-title">
+							<h2 class="mb-0">
+								<button class="btn btn-link btn-block text-left collapsed" type="button" data-toggle="collapse" data-target="#filezilla" aria-expanded="false" aria-controls="filezilla">
+									scp
+								</button>
+							</h2>
+						</div>
+						<div id="filezilla" class="collapse show" aria-labelledby="scp-title" data-parent="#softconfig2">
+							<div class="card-body">
+								<p>Déployer le dossier local <em>public</em> sur le site web {{ .View.Name.Pretty }} :</p>
+								<pre>
+scp -oHostKeyAlgorithms=+ssh-rsa -P2222 -r ./public {{ .Describe.Username }}@sftp.deuxfleurs.fr:{{ .View.Name.Pretty }}/
+								</pre>
+							</div>
+						</div>
+					</div>
+					<div class="card">
+						<div class="card-header" id="filezilla-title">
+							<h2 class="mb-0">
+								<button class="btn btn-link btn-block text-left collapsed" type="button" data-toggle="collapse" data-target="#filezilla" aria-expanded="false" aria-controls="filezilla">
+									Filezilla
+								</button>
+							</h2>
+						</div>
+						<div id="filezilla" class="collapse" aria-labelledby="filezilla-title" data-parent="#softconfig2">
+							<div class="card-body">
+								<p>Dans la barre de connexion rapide du haut, entrez :</p>
+								<dl>
+									<dt>Hôte</dt> <dd>sftp://sftp.deuxfleurs.fr</dd>
+									<dt>Nom d'utilisateur</dt> <dd>{{ .Describe.Username }}</dd>
+									<dt>Mot de passe</dt> <dd>(votre mot de passe guichet)</dd>
+									<dt>Port</dt> <dd>2222</dd>
+								</dl>
+								<p>Cliquez ensuite sur <strong>Connexion rapide</strong></p>
+							</div>
+						</div>
+					</div>
+				</div>
+			</div>
+
+			<div class="tab-pane fade" id="dav" role="tabpanel" aria-labelledby="dav-tab">
+				<br>
+				<div class="alert alert-danger" role="alert">
+					N'automatisez pas votre déploiement en WebDAV car vous risqueriez de faire fuiter votre mot de passe.<br>
+					Pour toute forme d'automatisation, préférez le protocole S3.
+				</div>
+
+				<table class="table mt-4">
+					<tbody>
+						<tr>
+							<th scope="row">Nom d'utilisateur-ice</th>
+							<td>{{ .Describe.Username }}</td>
+						</tr>
+						<tr>
+							<th scope="row">Mot de passe</th>
+							<td>(votre mot de passe guichet)</td>
+						</tr>
+						<tr>
+							<th scope="row">Hôte</th>
+							<td>https://bagage.deuxfleurs.fr ou davs://bagage.deuxfleurs.fr</td>
+						</tr>
+						<tr>
+							<th scope="row">Port</th>
+							<td>443 (par défaut)</td>
+						</tr>
+					</tbody>
+				</table>
+				<p>Configurez votre logiciel :</p>
+
+				<div class="accordion" id="softconfig3">
+					<div class="card">
+						<div class="card-header" id="drive-title">
+							<h2 class="mb-0">
+								<button class="btn btn-link btn-block text-left collapsed" type="button" data-toggle="collapse" data-target="#drive" aria-expanded="false" aria-controls="filezilla">
+									Explorateur web
+								</button>
+							</h2>
+						</div>
+						<div id="drive" class="collapse show" aria-labelledby="drive-title" data-parent="#softconfig3">
+							<div class="card-body">
+								<p>Vous pouvez naviguer dans vos fichiers via l'explorateur web.
+								Utilisez simplement vos identifiants Guichet, l'explorateur est préconfiguré.</p>
+
+								<p><a href="https://drive.deuxfleurs.fr">Accéder à l'explorateur</a></p>
+							</div>
+						</div>
+					</div>
+				</div>
+			</div>
+
+		</div>
+	</div>
+
+	{{ if .View.Name.Expanded }}
+	<h5 class="mt-5">Vous ne savez pas comment configurer votre nom de domaine ?</h5>
+	<p> Le nom de domaine {{ .View.Name.Url }} n'est pas géré par Deuxfleurs, il vous revient donc de configurer la zone DNS. Vous devez ajouter une entrée <code>CNAME garage.deuxfleurs.fr</code> ou <code>ALIAS garage.deuxfleurs.fr</code> auprès de votre hébergeur DNS, qui est souvent aussi le bureau d'enregistrement (eg. Gandi, GoDaddy, BookMyName, etc.).</p>
+	{{ end }}
+
+
+</div>
+{{ end }}
+

templates/garage_website_new.html

@@ -0,0 +1,72 @@
+{{define "title"}}Créer un site web |{{end}}
+
+{{define "body"}}
+<div class="d-flex">
+    <h4>Créer un site web</h4>
+    <a class="ml-auto btn btn-link" href="/website/configure">Mes identifiants</a>
+    <a class="ml-4 btn btn-info" href="/website">Mes sites webs</a>
+</div>
+
+<div class="row mt-3">
+	<div class="col-md-12">
+	{{if .Err}}
+		<div class="alert alert-danger">{{ .Err.Error }}</div>
+  	{{end}}
+	</div>
+</div>
+
+<ul class="nav nav-tabs" id="proto" role="tablist">
+    <li class="nav-item">
+        <a class="nav-link active" id="dnsint-tab" data-toggle="tab" href="#dnsint" role="tab" aria-controls="dnsint" aria-selected="true">Je n'ai pas de nom de domaine</a>
+    </li>
+    <li class="nav-item">
+        <a class="nav-link" id="dnsext-tab" data-toggle="tab" href="#dnsext" role="tab" aria-controls="dnsext" aria-selected="false">Utiliser mon propre nom de domaine</a>
+    </li>
+</ul>
+
+<div class="tab-content" id="protocols">
+
+    <div class="tab-pane fade show active" id="dnsint" role="tabpanel" aria-labelledby="dnsint-tab">
+        <form method="POST" class="mt-4">
+            <div class="form-row">
+                <div class="form-group col-md-6">
+                    <label for="bucket">Sous-domaine désiré :</label>
+                    <input type="text" id="bucket" name="bucket" placeholder="mon-site" class="form-control" value="" onkeyup="document.getElementById('url').value = `https://${document.getElementById('bucket').value}.web.deuxfleurs.fr`" />
+                </div>
+                <div class="form-group col-md-6">
+                    <label for="url">Votre site sera accessible à l'URL suivante :</label>
+                    <input type="text" id="url" disabled="true" name="url" class="form-control" value="https://mon-site.web.deuxfleurs.fr" />
+                </div>
+            </div>
+            <div class="mt-4">
+                <p>La première fois que vous chargerez votre site web, une erreur de certificat sera renvoyée. C'est normal, il faudra patienter quelques minutes le temps que le certificat se génère.</p>
+            </div>
+            <button type="submit" class="btn btn-primary">Créer un nouveau site web</button>
+        </form>
+    </div>
+    <div class="tab-pane fade show" id="dnsext" role="tabpanel" aria-labelledby="dnsext-tab">
+        <form method="POST" class="mt-4">
+            <div class="form-row">
+                <div class="form-group col-md-6">
+                    <label for="bucket2">Votre nom de domaine :</label>
+                    <input type="text" id="bucket2" name="bucket2" placeholder="example.com" class="form-control" value="" onkeyup="document.getElementById('url2').value = `https://${document.getElementById('bucket2').value}`" />
+                </div>
+                <div class="form-group col-md-6">
+                    <label for="url2">Votre site sera accessible à l'URL suivante :</label>
+                    <input type="text" id="url2" disabled="true" name="url2" class="form-control" value="https://example.com" />
+                </div>
+            </div>
+            <div>
+                <p>Vous devez éditer votre zone DNS, souvent gérée par votre bureau d'enregistrement, comme Gandi, pour la faire pointer vers Deuxfleurs. Si vous utilisez un sous domaine (eg. <code>site.example.com</code>), une entrée <code>CNAME</code> est appropriée :</p>
+                <pre>site   CNAME    3600    garage.deuxfleurs.fr.</pre>
+                <p>Si vous utilisez la racine de votre nom de domaine (eg. <code>example.com</code>, aussi appelée APEX), la solution dépend de votre fournisseur DNS, il vous faudra au choix une entrée <code>ALIAS</code> ou <code>CNAME</code> en fonction de ce que votre fournisseur supporte :</p>
+                <pre>@      ALIAS    3600    garage.deuxfleurs.fr.</pre>
+                <p>La première fois que vous chargerez votre site web, une erreur de certificat sera renvoyée. C'est normal, il faudra patienter quelques minutes le temps que le certificat se génère.</p>
+            </div>
+            <div class="mt-4">
+            <button type="submit" class="btn btn-primary">Créer un nouveau site web</button>
+        </form>
+
+    </div>
+</div>
+{{end}}

templates/home.html

@@ -2,13 +2,13 @@
 
 {{define "body"}}
 <div class="alert alert-info">
-    Bienvenue, <strong>{{ .Login.WelcomeName }}</strong> !
+    Bienvenue, <strong>{{ .User.WelcomeName }}</strong> !
 </div>
 <div class="d-flex">
   <a class="ml-auto btn btn-sm btn-dark" href="/logout">Se déconnecter</a>
 </div>
-<div class="mt-3"></div>
 
+<div class="mt-3">
     <div class="card">
         <div class="card-header">
             Mon compte
@@ -19,8 +19,20 @@
             <a class="list-group-item list-group-item-action" href="/directory">Annuaire</a>
         </div>
     </div>
+</div>
 
-{{if .Login.CanInvite}}
+<div class="mt-3">
+    <div class="card">
+        <div class="card-header">
+            Mes services
+        </div>
+        <div class="list-group list-group-flush">
+            <a class="list-group-item list-group-item-action" href="/website">Mes sites Web</a>
+        </div>
+    </div>
+</div>
+
+{{if .User.Capabilities.CanInvite}}
 <div class="card mt-3">
   <div class="card-header">
     Inviter des gens sur Deuxfleurs
@@ -32,14 +44,15 @@
 </div>
 {{end}}
 
-{{if .Login.CanAdmin}}
+{{if .User.Capabilities.CanAdmin}}
   <div class="card mt-3">
     <div class="card-header">
       Administration
     </div>
     <div class="list-group list-group-flush">
-      <a class="list-group-item list-group-item-action" href="/admin/users">Utilisateurs</a>
+      <a class="list-group-item list-group-item-action" href="/admin/users">Utilisateur·ices</a>
       <a class="list-group-item list-group-item-action" href="/admin/groups">Groupes</a>
+      <a class="list-group-item list-group-item-action" href="/admin/mailing">Mailing lists</a>
       <a class="list-group-item list-group-item-action" href="/admin/ldap/{{.BaseDN}}">Explorateur LDAP</a>
     </div>
   </div>

templates/invite_new_account.html

@@ -12,7 +12,7 @@
     </div>
   {{end}}
   {{if .WarningMessage}}
-    <div class="alert alert-danger mt-4">Des erreurs se sont produtes, le compte pourrait ne pas être totalement fonctionnel.
+    <div class="alert alert-danger mt-4">Des erreurs se sont produites, le compte pourrait ne pas être totalement fonctionnel.
       <div style="font-size: 0.8em">{{ .WarningMessage }}</div>
     </div>
   {{end}}
@@ -25,12 +25,15 @@
     <form method="POST" class="mt-4">
       <h5>Renseignements obligatoires</h5>
       <div class="form-group">
-        <label for="username">Nom d'utilisateur souhaité :</label>
+        <label for="username">Identifiant souhaité :</label>
         <input type="text" id="username" name="username" class="form-control" value="{{ .Username }}" />
+	<small class="form-text text-muted">
+	  Votre identifiant doit être en minuscule.
+	</small>
       </div>
       {{if .ErrorInvalidUsername}}
         <div class="alert alert-warning">
-          Nom d'utilisateur invalide. Ne peut contenir que les caractères suivants : chiffres, lettres, point, tiret bas (_) et tiret du milieu (-).
+          Nom d'utilisateur invalide. Ne peut contenir que les caractères suivants : chiffres, lettres minuscules, point, tiret bas (_) et tiret du milieu (-).
         </div>
       {{end}}
       {{if .ErrorUsernameTaken}}
@@ -41,6 +44,9 @@
       <div class="form-group">
         <label for="password">Mot de passe :</label>
         <input type="password" id="password" name="password" class="form-control" />
+	<small class="form-text text-muted">
+	  La seule contrainte est que votre mot de passe doit faire au moins 8 caractères. Utilisez chiffres, majuscules, et caractères spéciaux sans modération !
+	</small>
       </div>
       {{if .ErrorPasswordTooShort}}
         <div class="alert alert-warning">
@@ -58,6 +64,9 @@
       {{end}}
 
       <h5>Renseignements optionnels</h5>
+      <small class="form-text text-muted">
+        Ces informations sont utilisées exclusivement pour "pré-configurer" les services que vous utiliserez, elles n'ont pas besoin de correspondre à votre état civil.
+      </small>
       <div class="form-group">
         <label for="displayname">Nom complet :</label>
         <input type="text" id="displayname" name="displayname" class="form-control" value="{{ .DisplayName }}" />

templates/layout.html

@@ -6,13 +6,15 @@
 
   <link rel="stylesheet" href="/static/css/bootstrap.min.css">
 
-  <title>{{template "title"}} Guichet</title>
+  <title>{{template "title" .}} Guichet</title>
 </head>
 <body>
-  <div class="container">
+  <div class="container mb-4">
     <h1>Guichet Deuxfleurs💮💮</h1>
     <hr />
     {{template "body" .}}
   </div>
+  <script src="/static/javascript/jquery.slim.min.js"></script>
+  <script src="/static/javascript/bootstrap.bundle.min.js"></script>
 </body>
 </html>

templates/login.html

@@ -5,7 +5,7 @@
 
 <form method="POST">
   {{if .WrongUser}}
-    <div class="alert alert-danger">Nom d'utilisateur invalide.</div>
+    <div class="alert alert-danger">Identifiant invalide.</div>
   {{end}}
   {{if .WrongPass}}
     <div class="alert alert-danger">Mot de passe invalide.</div>
@@ -16,7 +16,7 @@
     </div>
   {{end}}
   <div class="form-group">
-    <label for="username">Nom d'utilisateur:</label>
+    <label for="username">Identifiant :</label>
     <input type="text" name="username" id="username" class="form-control" value="{{ .Username }}" />
   </div>
   <div class="form-group">
@@ -30,6 +30,6 @@
 
 <p><strong>Mot de passe oublié ?</strong>
 Écrivez à <samp>coucou</samp><img src="static/image/at_sign.svg" style="height: 1em" alt="arobase" /><samp>deuxfleurs.fr</samp>
-  ou contactez directement votre administrateur favori.</p>
+  ou contactez directement votre opérateur·ice préféré·e.</p>
 
 {{end}}

templates/profile.html

@@ -19,8 +19,8 @@
   <form method="POST" class="mt-4" enctype="multipart/form-data">
     <div class="form-row">
       <div class="form-group col-md-6">
-        <label>Nom d'utilisateur:</label>
+        <label>Identifiant:</label>
-        <input type="text" disabled="true" class="form-control" value="{{ .Status.Info.Username }}" />
+        <input type="text" disabled="true" class="form-control" value="{{ .User.Login.Info.Username }}" />
       </div>
       <div class="form-group col-md-6">
         <label for="mail">Adresse e-mail:</label>

website.go

@@ -0,0 +1,435 @@
+package main
+
+import (
+	"fmt"
+	garage "git.deuxfleurs.fr/garage-sdk/garage-admin-sdk-golang"
+	"log"
+	"sort"
+	"strings"
+)
+
+var (
+	ErrWebsiteNotFound              = fmt.Errorf("Website not found")
+	ErrFetchBucketInfo              = fmt.Errorf("Failed to fetch bucket information")
+	ErrWebsiteQuotaReached          = fmt.Errorf("Can't create additional websites, quota reached")
+	ErrEmptyBucketName              = fmt.Errorf("You can't create a website with an empty name")
+	ErrCantCreateBucket             = fmt.Errorf("Can't create this bucket. Maybe another bucket already exists with this name or you have an invalid character")
+	ErrCantAllowKey                 = fmt.Errorf("Can't allow given key on the target bucket")
+	ErrCantConfigureBucket          = fmt.Errorf("Unable to configure the bucket (activating website, adding quotas, etc.)")
+	ErrBucketDeleteNotEmpty         = fmt.Errorf("You must remove all the files before deleting a bucket")
+	ErrBucketDeleteUnfinishedUpload = fmt.Errorf("You must remove all the unfinished multipart uploads before deleting a bucket")
+	ErrCantChangeVhost              = fmt.Errorf("Can't change the vhost to the desired value. Maybe it's already used by someone else or an internal error occured")
+	ErrCantRemoveOldVhost           = fmt.Errorf("The new vhost is bound to the bucket but the old one can't be removed, it's an internal error")
+	ErrFetchDedicatedKey            = fmt.Errorf("Bucket has no dedicated key while it's required, it's an internal error")
+	ErrDedicatedKeyInvariant        = fmt.Errorf("A security invariant on the dedicated key has been violated, aborting.")
+)
+
+type WebsiteId struct {
+	Pretty   string   `json:"name"`
+	Internal string   `json:"-"`
+	Alt      []string `json:"alt_name"`
+	Expanded bool     `json:"expanded"`
+	Url      string   `json:"domain"`
+}
+
+func NewWebsiteId(id string, aliases []string) *WebsiteId {
+	pretty := id
+	var alt []string
+	if len(aliases) > 0 {
+		pretty = aliases[0]
+		alt = aliases[1:]
+	}
+	expanded := strings.Contains(pretty, ".")
+
+	url := pretty
+	if !expanded {
+		url = fmt.Sprintf("%s.web.deuxfleurs.fr", pretty)
+	}
+
+	return &WebsiteId{pretty, id, alt, expanded, url}
+}
+func NewWebsiteIdFromBucketInfo(binfo *garage.BucketInfo) *WebsiteId {
+	return NewWebsiteId(*binfo.Id, binfo.GlobalAliases)
+}
+
+// -----
+
+type WebsiteDescribe struct {
+	Username             string       `json:"username"`
+	AllowedWebsites      *QuotaStat   `json:"quota_website_count"`
+	BurstBucketQuotaSize string       `json:"burst_bucket_quota_size"`
+	Websites             []*WebsiteId `json:"vhosts"`
+}
+
+type WebsiteController struct {
+	User         *LoggedUser
+	RootKey      *garage.KeyInfo
+	WebsiteIdx   map[string]*WebsiteId
+	PrettyList   []string
+	WebsiteCount QuotaStat
+}
+
+func NewWebsiteController(user *LoggedUser) (*WebsiteController, error) {
+	idx := map[string]*WebsiteId{}
+	var wlist []string
+
+	keyInfo, err := user.S3KeyInfo()
+	if err != nil {
+		return nil, err
+	}
+
+	for _, bckt := range keyInfo.Buckets {
+		if len(bckt.GlobalAliases) > 0 {
+			wid := NewWebsiteId(*bckt.Id, bckt.GlobalAliases)
+			idx[wid.Pretty] = wid
+			wlist = append(wlist, wid.Pretty)
+		}
+	}
+	sort.Strings(wlist)
+
+	maxW := user.Quota.WebsiteCount
+	quota := NewQuotaStat(int64(len(wlist)), maxW, true)
+
+	return &WebsiteController{user, keyInfo, idx, wlist, quota}, nil
+}
+
+func (w *WebsiteController) getDedicatedWebsiteKey(binfo *garage.BucketInfo) (*garage.KeyInfo, error) {
+	// Check bucket info is not null
+	if binfo == nil {
+		return nil, ErrFetchBucketInfo
+	}
+
+	// Check the bucket is owned by the user's root key
+	usersRootKeyFound := false
+	for _, bucketKeyInfo := range binfo.Keys {
+		if *bucketKeyInfo.AccessKeyId == *w.RootKey.AccessKeyId && *bucketKeyInfo.Permissions.Owner {
+			usersRootKeyFound = true
+			break
+		}
+	}
+	if !usersRootKeyFound {
+		log.Printf("%s is not an owner of bucket %s. Invariant violated.\n", w.User.Username, *binfo.Id)
+		return nil, ErrDedicatedKeyInvariant
+	}
+
+	// Check that username does not contain a ":" (should not be possible due to the invitation regex)
+	// We do this check as ":" is used as a separator
+	if strings.Contains(w.User.Username, ":") || w.User.Username == "" || *binfo.Id == "" {
+		log.Printf("Username (%s) or bucket identifier (%s) is invalid. Invariant violated.\n", w.User.Username, *binfo.Id)
+		return nil, ErrDedicatedKeyInvariant
+	}
+
+	// Build the string template by concatening the username and the bucket identifier
+	dedicatedKeyName := fmt.Sprintf("%s:web:%s", w.User.Username, *binfo.Id)
+
+	// Try to fetch the dedicated key
+	keyInfo, err := grgSearchKey(dedicatedKeyName)
+	if err != nil {
+		// On error, try to create it.
+		// @FIXME we should try to create only on 404 Not Found errors
+		keyInfo, err = grgCreateKey(dedicatedKeyName)
+		if err != nil {
+			// On error again, abort
+			return nil, err
+		}
+		log.Printf("Created dedicated key %s\n", dedicatedKeyName)
+	}
+
+	// Check that the key name is *exactly* the one we requested
+	if *keyInfo.Name != dedicatedKeyName {
+		log.Printf("Expected key: %s, got %s. Invariant violated.\n", dedicatedKeyName, *keyInfo.Name)
+		return nil, ErrDedicatedKeyInvariant
+	}
+
+	// Check that the dedicated key does not contain any other bucket than this one
+	// and report if this bucket key is found with correct permissions
+	permissionsOk := false
+	for _, buck := range keyInfo.Buckets {
+		if *buck.Id != *binfo.Id {
+			log.Printf("Key %s is used on bucket %s while it should be exclusive to %s. Invariant violated.\n", dedicatedKeyName, *buck.Id, *binfo.Id)
+			return nil, ErrDedicatedKeyInvariant
+		}
+		if *buck.Id == *binfo.Id && *buck.Permissions.Read && *buck.Permissions.Write {
+			permissionsOk = true
+		}
+	}
+
+	// Allow this bucket on the key if it's not already the case
+	// (will be executed when 1) key is first created and 2) as an healing mechanism)
+	if !permissionsOk {
+		binfo, err = grgAllowKeyOnBucket(*binfo.Id, *keyInfo.AccessKeyId, true, true, false)
+		if err != nil {
+			return nil, err
+		}
+		log.Printf("Key %s was not properly allowed on bucket %s, fixing permissions. Intended behavior.", dedicatedKeyName, *binfo.Id)
+
+		// Refresh the key to have an object with proper permissions
+		keyInfo, err = grgGetKey(*keyInfo.AccessKeyId)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	// Return the key
+	return keyInfo, nil
+}
+
+func (w *WebsiteController) flushDedicatedWebsiteKey(binfo *garage.BucketInfo) error {
+	// Check bucket info is not null
+	if binfo == nil {
+		return ErrFetchBucketInfo
+	}
+
+	// Check the bucket is owned by the user's root key
+	usersRootKeyFound := false
+	for _, bucketKeyInfo := range binfo.Keys {
+		if *bucketKeyInfo.AccessKeyId == *w.RootKey.AccessKeyId && *bucketKeyInfo.Permissions.Owner {
+			usersRootKeyFound = true
+			break
+		}
+	}
+	if !usersRootKeyFound {
+		log.Printf("%s is not an owner of bucket %s. Invariant violated.\n", w.User.Username, *binfo.Id)
+		return ErrDedicatedKeyInvariant
+	}
+
+	// Build the string template by concatening the username and the bucket identifier
+	dedicatedKeyName := fmt.Sprintf("%s:web:%s", w.User.Username, *binfo.Id)
+
+	// Fetch the dedicated key
+	keyInfo, err := grgSearchKey(dedicatedKeyName)
+	if err != nil {
+		return err
+	}
+
+	// Check that the key name is *exactly* the one we requested
+	if *keyInfo.Name != dedicatedKeyName {
+		log.Printf("Expected key: %s, got %s. Invariant violated.\n", dedicatedKeyName, *keyInfo.Name)
+		return ErrDedicatedKeyInvariant
+	}
+
+	// Check that the dedicated key contains no other bucket than this one
+	// (can also be empty, useful to heal a partially created key)
+	for _, buck := range keyInfo.Buckets {
+		if *buck.Id != *binfo.Id {
+			log.Printf("Key %s is used on bucket %s while it should be exclusive to %s. Invariant violated.\n", dedicatedKeyName, *buck.Id, *binfo.Id)
+			return ErrDedicatedKeyInvariant
+		}
+	}
+
+	// Finally delete this key
+	err = grgDelKey(*keyInfo.AccessKeyId)
+	if err != nil {
+		return err
+	}
+	log.Printf("Deleted dedicated key %s", dedicatedKeyName)
+	return nil
+}
+
+func (w *WebsiteController) Describe() (*WebsiteDescribe, error) {
+	r := make([]*WebsiteId, 0, len(w.PrettyList))
+	for _, k := range w.PrettyList {
+		r = append(r, w.WebsiteIdx[k])
+	}
+
+	return &WebsiteDescribe{
+		w.User.Username,
+		&w.WebsiteCount,
+		w.User.Quota.WebsiteSizeBurstedPretty(),
+		r,
+	}, nil
+}
+
+func (w *WebsiteController) Inspect(pretty string) (*WebsiteView, error) {
+	website, ok := w.WebsiteIdx[pretty]
+	if !ok {
+		return nil, ErrWebsiteNotFound
+	}
+
+	binfo, err := grgGetBucket(website.Internal)
+	if err != nil {
+		return nil, ErrFetchBucketInfo
+	}
+
+	dedicatedKey, err := w.getDedicatedWebsiteKey(binfo)
+	if err != nil {
+		return nil, err
+	}
+
+	return NewWebsiteView(binfo, dedicatedKey)
+}
+
+func (w *WebsiteController) Patch(pretty string, patch *WebsitePatch) (*WebsiteView, error) {
+	website, ok := w.WebsiteIdx[pretty]
+	if !ok {
+		return nil, ErrWebsiteNotFound
+	}
+
+	binfo, err := grgGetBucket(website.Internal)
+	if err != nil {
+		return nil, ErrFetchBucketInfo
+	}
+
+	// Patch the max size
+	urQuota := garage.NewUpdateBucketRequestQuotas()
+	urQuota.SetMaxSize(w.User.Quota.WebsiteSizeAdjust(binfo.Quotas.GetMaxSize()))
+	urQuota.SetMaxObjects(w.User.Quota.WebsiteObjectAdjust(binfo.Quotas.GetMaxObjects()))
+	if patch.Size != nil {
+		urQuota.SetMaxSize(w.User.Quota.WebsiteSizeAdjust(*patch.Size))
+	}
+
+	// Build the update
+	ur := garage.NewUpdateBucketRequest()
+	ur.SetQuotas(*urQuota)
+
+	// Call garage "update bucket" function
+	binfo, err = grgUpdateBucket(website.Internal, ur)
+	if err != nil {
+		return nil, ErrCantConfigureBucket
+	}
+
+	// Update the alias if the vhost field is set and different
+	if patch.Vhost != nil && *patch.Vhost != "" && *patch.Vhost != pretty {
+		binfo, err = grgAddGlobalAlias(website.Internal, *patch.Vhost)
+		if err != nil {
+			return nil, ErrCantChangeVhost
+		}
+		binfo, err = grgDelGlobalAlias(website.Internal, pretty)
+		if err != nil {
+			return nil, ErrCantRemoveOldVhost
+		}
+	}
+
+	if patch.RotateKey != nil && *patch.RotateKey {
+		err = w.flushDedicatedWebsiteKey(binfo)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	dedicatedKey, err := w.getDedicatedWebsiteKey(binfo)
+	if err != nil {
+		return nil, err
+	}
+
+	return NewWebsiteView(binfo, dedicatedKey)
+}
+
+func (w *WebsiteController) Create(pretty string) (*WebsiteView, error) {
+	if pretty == "" {
+		return nil, ErrEmptyBucketName
+	}
+
+	if w.WebsiteCount.IsFull() {
+		return nil, ErrWebsiteQuotaReached
+	}
+
+	// Create bucket
+	binfo, err := grgCreateBucket(pretty)
+	if err != nil {
+		return nil, ErrCantCreateBucket
+	}
+
+	// Allow user's global key on bucket
+	s3key, err := w.User.S3KeyInfo()
+	if err != nil {
+		return nil, err
+	}
+
+	binfo, err = grgAllowKeyOnBucket(*binfo.Id, *s3key.AccessKeyId, true, true, true)
+	if err != nil {
+		return nil, ErrCantAllowKey
+	}
+
+	// Set quota
+	qr := w.User.Quota.DefaultWebsiteQuota()
+	wr := allowWebsiteDefault()
+
+	ur := garage.NewUpdateBucketRequest()
+	ur.SetWebsiteAccess(*wr)
+	ur.SetQuotas(*qr)
+
+	binfo, err = grgUpdateBucket(*binfo.Id, ur)
+	if err != nil {
+		return nil, ErrCantConfigureBucket
+	}
+
+	// Create a dedicated key
+	dedicatedKey, err := w.getDedicatedWebsiteKey(binfo)
+	if err != nil {
+		return nil, err
+	}
+
+	return NewWebsiteView(binfo, dedicatedKey)
+}
+
+func (w *WebsiteController) Delete(pretty string) error {
+	if pretty == "" {
+		return ErrEmptyBucketName
+	}
+
+	website, ok := w.WebsiteIdx[pretty]
+	if !ok {
+		return ErrWebsiteNotFound
+	}
+
+	// Error checking
+	binfo, err := grgGetBucket(website.Internal)
+	if err != nil {
+		return ErrFetchBucketInfo
+	}
+
+	if *binfo.Objects > int64(0) {
+		return ErrBucketDeleteNotEmpty
+	}
+
+	if *binfo.UnfinishedUploads > int32(0) {
+		return ErrBucketDeleteUnfinishedUpload
+	}
+
+	// Delete dedicated key
+	err = w.flushDedicatedWebsiteKey(binfo)
+	if err != nil {
+		return err
+	}
+
+	// Actually delete bucket
+	err = grgDeleteBucket(website.Internal)
+	return err
+}
+
+type WebsiteView struct {
+	Name            *WebsiteId `json:"vhost"`
+	AccessKeyId     string     `json:"access_key_id"`
+	SecretAccessKey string     `json:"secret_access_key"`
+	Size            QuotaStat  `json:"quota_size"`
+	Files           QuotaStat  `json:"quota_files"`
+}
+
+func NewWebsiteView(binfo *garage.BucketInfo, s3key *garage.KeyInfo) (*WebsiteView, error) {
+	if binfo == nil {
+		return nil, ErrFetchBucketInfo
+	}
+	if s3key == nil {
+		return nil, ErrFetchDedicatedKey
+	}
+
+	q := binfo.GetQuotas()
+
+	wid := NewWebsiteIdFromBucketInfo(binfo)
+	size := NewQuotaStat(*binfo.Bytes, (&q).GetMaxSize(), true)
+	objects := NewQuotaStat(*binfo.Objects, (&q).GetMaxObjects(), false)
+	return &WebsiteView{
+		wid,
+		*s3key.AccessKeyId,
+		*s3key.SecretAccessKey.Get(),
+		size,
+		objects,
+	}, nil
+}
+
+type WebsitePatch struct {
+	Size      *int64  `json:"quota_size"`
+	Vhost     *string `json:"vhost"`
+	RotateKey *bool   `json:"rotate_key"`
+}

webui_website.go

@@ -0,0 +1,178 @@
+package main
+
+import (
+	"fmt"
+	"github.com/gorilla/mux"
+	"net/http"
+	"strings"
+)
+
+// --- Start page rendering functions
+func handleWebsiteList(w http.ResponseWriter, r *http.Request) {
+	user := RequireUserHtml(w, r)
+	if user == nil {
+		return
+	}
+
+	ctrl, err := NewWebsiteController(user)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	if len(ctrl.PrettyList) > 0 {
+		http.Redirect(w, r, "/website/inspect/"+ctrl.PrettyList[0], http.StatusFound)
+	} else {
+		http.Redirect(w, r, "/website/new", http.StatusFound)
+	}
+}
+
+type WebsiteNewTpl struct {
+	Ctrl *WebsiteController
+	Err  error
+}
+
+func handleWebsiteNew(w http.ResponseWriter, r *http.Request) {
+	user := RequireUserHtml(w, r)
+	if user == nil {
+		return
+	}
+
+	ctrl, err := NewWebsiteController(user)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	tpl := &WebsiteNewTpl{ctrl, nil}
+
+	tWebsiteNew := getTemplate("garage_website_new.html")
+	if r.Method == "POST" {
+		r.ParseForm()
+
+		bucket := strings.Join(r.Form["bucket"], "")
+		if bucket == "" {
+			bucket = strings.Join(r.Form["bucket2"], "")
+		}
+
+		view, err := ctrl.Create(bucket)
+		if err != nil {
+			tpl.Err = err
+			tWebsiteNew.Execute(w, tpl)
+			return
+		}
+
+		http.Redirect(w, r, "/website/inspect/"+view.Name.Pretty, http.StatusFound)
+		return
+	}
+
+	tWebsiteNew.Execute(w, tpl)
+}
+
+type WebsiteInspectTpl struct {
+	Describe *WebsiteDescribe
+	View     *WebsiteView
+	Err      error
+}
+
+func handleWebsiteInspect(w http.ResponseWriter, r *http.Request) {
+	var processErr error
+
+	user := RequireUserHtml(w, r)
+	if user == nil {
+		return
+	}
+
+	ctrl, err := NewWebsiteController(user)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	bucketName := mux.Vars(r)["bucket"]
+
+	if r.Method == "POST" {
+		r.ParseForm()
+		action := strings.Join(r.Form["action"], "")
+		switch action {
+		case "increase_quota":
+			_, processErr = ctrl.Patch(bucketName, &WebsitePatch{Size: &user.Quota.WebsiteSizeBursted})
+		case "delete_bucket":
+			processErr = ctrl.Delete(bucketName)
+			if processErr == nil {
+				http.Redirect(w, r, "/website", http.StatusFound)
+			}
+		case "rotate_key":
+			do_action := true
+			_, processErr = ctrl.Patch(bucketName, &WebsitePatch{RotateKey: &do_action})
+		default:
+			processErr = fmt.Errorf("Unknown action")
+		}
+
+	}
+
+	view, err := ctrl.Inspect(bucketName)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	describe, err := ctrl.Describe()
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	tpl := &WebsiteInspectTpl{describe, view, processErr}
+
+	tWebsiteInspect := getTemplate("garage_website_inspect.html")
+	tWebsiteInspect.Execute(w, &tpl)
+}
+
+func handleWebsiteVhost(w http.ResponseWriter, r *http.Request) {
+	var processErr error
+
+	user := RequireUserHtml(w, r)
+	if user == nil {
+		return
+	}
+
+	ctrl, err := NewWebsiteController(user)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	bucketName := mux.Vars(r)["bucket"]
+
+	if r.Method == "POST" {
+		r.ParseForm()
+
+		bucket := strings.Join(r.Form["bucket"], "")
+		if bucket == "" {
+			bucket = strings.Join(r.Form["bucket2"], "")
+		}
+
+		view, processErr := ctrl.Patch(bucketName, &WebsitePatch{Vhost: &bucket})
+		if processErr == nil {
+			http.Redirect(w, r, "/website/inspect/"+view.Name.Pretty, http.StatusFound)
+			return
+		}
+	}
+
+	view, err := ctrl.Inspect(bucketName)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	describe, err := ctrl.Describe()
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	tpl := &WebsiteInspectTpl{describe, view, processErr}
+	tWebsiteEdit := getTemplate("garage_website_edit.html")
+	tWebsiteEdit.Execute(w, &tpl)
+}