2022-05-15 18:10:49 +00:00
|
|
|
/*
|
|
|
|
Copyright 2017-2022 CAcert Inc.
|
|
|
|
SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
2022-05-26 15:25:25 +00:00
|
|
|
"bytes"
|
2022-05-27 15:39:54 +00:00
|
|
|
"crypto/x509"
|
|
|
|
"encoding/pem"
|
2022-05-26 14:06:31 +00:00
|
|
|
"errors"
|
2022-05-15 18:10:49 +00:00
|
|
|
"fmt"
|
2022-05-26 15:25:25 +00:00
|
|
|
"html/template"
|
|
|
|
"io/fs"
|
2022-05-15 18:10:49 +00:00
|
|
|
"net/http"
|
2022-05-26 15:25:25 +00:00
|
|
|
"path/filepath"
|
2022-05-15 18:10:49 +00:00
|
|
|
"runtime/debug"
|
2022-06-01 16:57:38 +00:00
|
|
|
"strconv"
|
2022-05-26 15:25:25 +00:00
|
|
|
"strings"
|
2022-05-26 14:06:31 +00:00
|
|
|
|
2022-05-26 15:25:25 +00:00
|
|
|
"github.com/Masterminds/sprig/v3"
|
2022-06-04 12:48:24 +00:00
|
|
|
"github.com/go-chi/chi/v5"
|
2022-05-26 14:06:31 +00:00
|
|
|
"github.com/go-playground/form/v4"
|
2022-05-26 15:25:25 +00:00
|
|
|
"github.com/justinas/nosurf"
|
|
|
|
|
|
|
|
"git.cacert.org/cacert-boardvoting/internal/models"
|
|
|
|
"git.cacert.org/cacert-boardvoting/ui"
|
2022-05-15 18:10:49 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func (app *application) serverError(w http.ResponseWriter, err error) {
|
|
|
|
trace := fmt.Sprintf("%s\n%s", err.Error(), debug.Stack())
|
|
|
|
|
|
|
|
_ = app.errorLog.Output(2, trace)
|
|
|
|
|
|
|
|
http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (app *application) clientError(w http.ResponseWriter, status int) {
|
|
|
|
http.Error(w, http.StatusText(status), status)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (app *application) notFound(w http.ResponseWriter) {
|
|
|
|
app.clientError(w, http.StatusNotFound)
|
|
|
|
}
|
2022-05-26 14:06:31 +00:00
|
|
|
|
|
|
|
func (app *application) decodePostForm(r *http.Request, dst any) error {
|
|
|
|
err := r.ParseForm()
|
|
|
|
if err != nil {
|
|
|
|
return fmt.Errorf("could not parse HTML form: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
err = app.formDecoder.Decode(dst, r.PostForm)
|
|
|
|
if err != nil {
|
|
|
|
var invalidDecoderError *form.InvalidDecoderError
|
|
|
|
|
|
|
|
if errors.As(err, &invalidDecoderError) {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return fmt.Errorf("could not decode form: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
2022-05-26 15:25:25 +00:00
|
|
|
|
|
|
|
func newTemplateCache() (map[string]*template.Template, error) {
|
|
|
|
cache := map[string]*template.Template{}
|
|
|
|
|
|
|
|
pages, err := fs.Glob(ui.Files, "html/pages/*.html")
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("could not find page templates: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
funcMaps := sprig.FuncMap()
|
|
|
|
funcMaps["nl2br"] = func(text string) template.HTML {
|
|
|
|
// #nosec G203 input is sanitized
|
|
|
|
return template.HTML(strings.ReplaceAll(template.HTMLEscapeString(text), "\n", "<br>"))
|
|
|
|
}
|
|
|
|
funcMaps["canManageUsers"] = func(v *models.User) (bool, error) {
|
2022-05-29 13:36:27 +00:00
|
|
|
return checkRole(v, models.RoleSecretary, models.RoleAdmin)
|
2022-05-26 15:25:25 +00:00
|
|
|
}
|
|
|
|
funcMaps["canVote"] = func(v *models.User) (bool, error) {
|
2022-05-29 13:36:27 +00:00
|
|
|
return checkRole(v, models.RoleVoter)
|
2022-05-26 15:25:25 +00:00
|
|
|
}
|
|
|
|
funcMaps["canStartVote"] = func(v *models.User) (bool, error) {
|
2022-05-29 13:36:27 +00:00
|
|
|
return checkRole(v, models.RoleVoter)
|
2022-05-26 15:25:25 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
for _, page := range pages {
|
|
|
|
name := filepath.Base(page)
|
|
|
|
|
|
|
|
ts, err := template.New("").Funcs(funcMaps).ParseFS(
|
|
|
|
ui.Files,
|
|
|
|
"html/base.html",
|
|
|
|
"html/partials/*.html",
|
|
|
|
page,
|
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("could not parse base template: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
cache[name] = ts
|
|
|
|
}
|
|
|
|
|
|
|
|
return cache, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
type templateData struct {
|
|
|
|
PrevPage string
|
|
|
|
NextPage string
|
2022-05-27 15:39:54 +00:00
|
|
|
Motion *models.Motion
|
|
|
|
Motions []*models.Motion
|
2022-05-26 15:25:25 +00:00
|
|
|
User *models.User
|
|
|
|
Users []*models.User
|
|
|
|
Request *http.Request
|
2022-06-04 11:52:53 +00:00
|
|
|
Flashes []FlashMessage
|
2022-05-26 15:25:25 +00:00
|
|
|
Form any
|
|
|
|
ActiveNav topLevelNavItem
|
|
|
|
ActiveSubNav subLevelNavItem
|
|
|
|
CSRFToken string
|
|
|
|
}
|
|
|
|
|
|
|
|
func (app *application) newTemplateData(
|
|
|
|
r *http.Request,
|
|
|
|
nav topLevelNavItem,
|
|
|
|
subNav subLevelNavItem,
|
|
|
|
) *templateData {
|
2022-05-26 17:22:56 +00:00
|
|
|
user, _ := app.GetUser(r)
|
2022-05-26 15:25:25 +00:00
|
|
|
|
|
|
|
return &templateData{
|
|
|
|
Request: r,
|
|
|
|
User: user,
|
|
|
|
ActiveNav: nav,
|
|
|
|
ActiveSubNav: subNav,
|
2022-06-04 11:52:53 +00:00
|
|
|
Flashes: app.flashes(r),
|
2022-05-26 15:25:25 +00:00
|
|
|
CSRFToken: nosurf.Token(r),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (app *application) render(w http.ResponseWriter, status int, page string, data *templateData) {
|
|
|
|
ts, ok := app.templateCache[page]
|
|
|
|
if !ok {
|
|
|
|
app.serverError(w, fmt.Errorf("the template %s does not exist", page))
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
buf := new(bytes.Buffer)
|
|
|
|
|
|
|
|
err := ts.ExecuteTemplate(buf, "base", data)
|
|
|
|
if err != nil {
|
|
|
|
app.serverError(w, err)
|
|
|
|
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
w.WriteHeader(status)
|
|
|
|
|
|
|
|
_, _ = buf.WriteTo(w)
|
|
|
|
}
|
2022-05-27 15:39:54 +00:00
|
|
|
|
|
|
|
func (app *application) motionFromRequestParam(
|
|
|
|
w http.ResponseWriter,
|
|
|
|
r *http.Request,
|
|
|
|
) *models.Motion {
|
2022-05-29 10:01:58 +00:00
|
|
|
withVotes := r.URL.Query().Has("showvotes")
|
|
|
|
|
2022-06-04 12:48:24 +00:00
|
|
|
motion, err := app.motions.ByTag(r.Context(), chi.URLParam(r, "tag"), withVotes)
|
2022-05-27 15:39:54 +00:00
|
|
|
if err != nil {
|
|
|
|
app.serverError(w, err)
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
if motion.ID == 0 {
|
|
|
|
app.notFound(w)
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return motion
|
|
|
|
}
|
|
|
|
|
2022-06-01 16:57:38 +00:00
|
|
|
func (app *application) userFromRequestParam(
|
2022-06-04 12:48:24 +00:00
|
|
|
w http.ResponseWriter, r *http.Request, options ...models.UserListOption,
|
2022-06-01 16:57:38 +00:00
|
|
|
) *models.User {
|
2022-06-04 12:48:24 +00:00
|
|
|
userID, err := strconv.Atoi(chi.URLParam(r, "id"))
|
2022-06-01 16:57:38 +00:00
|
|
|
if err != nil {
|
|
|
|
app.clientError(w, http.StatusBadRequest)
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
user, err := app.users.ByID(r.Context(), int64(userID), options...)
|
|
|
|
if err != nil {
|
|
|
|
app.serverError(w, err)
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
if user == nil {
|
|
|
|
app.notFound(w)
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return user
|
|
|
|
}
|
|
|
|
|
2022-06-04 12:48:24 +00:00
|
|
|
func (app *application) emailFromRequestParam(r *http.Request, user *models.User) (string, error) {
|
2022-06-04 11:53:07 +00:00
|
|
|
emailAddresses, err := user.EmailAddresses()
|
|
|
|
if err != nil {
|
|
|
|
return "", fmt.Errorf("could not get email addresses: %w", err)
|
|
|
|
}
|
|
|
|
|
2022-06-04 12:48:24 +00:00
|
|
|
emailParam := chi.URLParam(r, "address")
|
|
|
|
|
2022-06-04 11:53:07 +00:00
|
|
|
for _, address := range emailAddresses {
|
|
|
|
if emailParam == address {
|
|
|
|
return emailParam, nil
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return "", nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func (app *application) deleteEmailParams(w http.ResponseWriter, r *http.Request) (*models.User, string, error) {
|
2022-06-04 12:48:24 +00:00
|
|
|
userToEdit := app.userFromRequestParam(w, r, app.users.WithEmailAddresses())
|
2022-06-04 11:53:07 +00:00
|
|
|
if userToEdit == nil {
|
|
|
|
return nil, "", nil
|
|
|
|
}
|
|
|
|
|
2022-06-04 12:48:24 +00:00
|
|
|
emailAddress, err := app.emailFromRequestParam(r, userToEdit)
|
2022-06-04 11:53:07 +00:00
|
|
|
if err != nil {
|
|
|
|
return nil, "", err
|
|
|
|
}
|
|
|
|
|
|
|
|
return userToEdit, emailAddress, nil
|
|
|
|
}
|
|
|
|
|
2022-06-04 12:48:24 +00:00
|
|
|
func (app *application) choiceFromRequestParam(w http.ResponseWriter, r *http.Request) *models.VoteChoice {
|
|
|
|
choice, err := models.VoteChoiceFromString(chi.URLParam(r, "choice"))
|
2022-05-27 15:39:54 +00:00
|
|
|
if err != nil {
|
|
|
|
app.clientError(w, http.StatusBadRequest)
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
return choice
|
|
|
|
}
|
|
|
|
|
|
|
|
func getPEMClientCert(r *http.Request) (string, error) {
|
|
|
|
cert := r.Context().Value(ctxAuthenticatedCert)
|
|
|
|
|
|
|
|
authenticatedCertificate, ok := cert.(*x509.Certificate)
|
|
|
|
if !ok {
|
|
|
|
return "", errors.New("could not handle certificate as x509.Certificate")
|
|
|
|
}
|
|
|
|
|
|
|
|
clientCertPEM := bytes.NewBuffer(make([]byte, 0))
|
|
|
|
|
|
|
|
err := pem.Encode(clientCertPEM, &pem.Block{Type: "CERTIFICATE", Bytes: authenticatedCertificate.Raw})
|
|
|
|
if err != nil {
|
|
|
|
return "", fmt.Errorf("error encoding client certificate: %w", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
return clientCertPEM.String(), nil
|
|
|
|
}
|
2022-06-04 11:52:53 +00:00
|
|
|
|
|
|
|
type FlashVariant string
|
|
|
|
|
|
|
|
const (
|
|
|
|
flashWarning FlashVariant = "warning"
|
|
|
|
flashInfo FlashVariant = "info"
|
|
|
|
flashSuccess FlashVariant = "success"
|
|
|
|
flashError FlashVariant = "error"
|
|
|
|
)
|
|
|
|
|
|
|
|
type FlashMessage struct {
|
|
|
|
Variant FlashVariant
|
|
|
|
Title string
|
|
|
|
Message string
|
|
|
|
}
|
|
|
|
|
|
|
|
func (app *application) addFlash(r *http.Request, message *FlashMessage) {
|
|
|
|
flashes := app.flashes(r)
|
|
|
|
|
|
|
|
flashes = append(flashes, *message)
|
|
|
|
|
|
|
|
app.sessionManager.Put(
|
|
|
|
r.Context(),
|
|
|
|
"flashes",
|
|
|
|
flashes,
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
|
|
|
func (app *application) flashes(r *http.Request) []FlashMessage {
|
|
|
|
flashInstance := app.sessionManager.Pop(r.Context(), "flashes")
|
|
|
|
|
|
|
|
if flashInstance != nil {
|
|
|
|
flashes, ok := flashInstance.([]FlashMessage)
|
|
|
|
|
|
|
|
if ok {
|
|
|
|
return flashes
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return make([]FlashMessage, 0)
|
|
|
|
}
|