You cannot select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
207 lines
4.7 KiB
Go
207 lines
4.7 KiB
Go
/*
|
|
Copyright 2022 CAcert Inc.
|
|
SPDX-License-Identifier: Apache-2.0
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package main
|
|
|
|
import (
|
|
"context"
|
|
"crypto/x509"
|
|
"errors"
|
|
"fmt"
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/justinas/nosurf"
|
|
|
|
"git.cacert.org/cacert-boardvoting/internal/models"
|
|
)
|
|
|
|
type contextKey int
|
|
|
|
const (
|
|
ctxUser contextKey = iota
|
|
ctxAuthenticatedCert
|
|
)
|
|
|
|
func secureHeaders(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
w.Header().Set("Content-Security-Policy", "default-src 'self'; font-src 'self' data:")
|
|
w.Header().Set("Referrer-Policy", "origin-when-cross-origin")
|
|
w.Header().Set("X-Content-Type-Options", "nosniff")
|
|
w.Header().Set("X-Frame-Options", "deny")
|
|
w.Header().Set("X-XSS-Protection", "0")
|
|
w.Header().Set("Strict-Transport-Security", "max-age=63072000")
|
|
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
|
|
func (app *application) authenticateRequest(
|
|
ctx context.Context,
|
|
r *http.Request,
|
|
) (*models.User, *x509.Certificate, error) {
|
|
if r.TLS == nil {
|
|
return nil, nil, nil
|
|
}
|
|
|
|
if len(r.TLS.PeerCertificates) < 1 {
|
|
return nil, nil, nil
|
|
}
|
|
|
|
clientCert := r.TLS.PeerCertificates[0]
|
|
|
|
allowClientAuth := false
|
|
|
|
for _, eku := range clientCert.ExtKeyUsage {
|
|
if eku == x509.ExtKeyUsageClientAuth {
|
|
allowClientAuth = true
|
|
|
|
break
|
|
}
|
|
}
|
|
|
|
if !allowClientAuth {
|
|
// presented certificate is not valid for client authentication
|
|
return nil, nil, nil
|
|
}
|
|
|
|
emails := clientCert.EmailAddresses
|
|
|
|
user, err := app.users.ByEmails(ctx, emails)
|
|
if err != nil {
|
|
return nil, nil, fmt.Errorf("could not get user information from database: %w", err)
|
|
}
|
|
|
|
return user, clientCert, nil
|
|
}
|
|
|
|
func (app *application) tryAuthenticate(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
user, cert, err := app.authenticateRequest(r.Context(), r)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
if user == nil {
|
|
next.ServeHTTP(w, r)
|
|
|
|
return
|
|
}
|
|
|
|
w.Header().Add("Cache-Control", "no-store")
|
|
|
|
certContext := context.WithValue(r.Context(), ctxAuthenticatedCert, cert)
|
|
userContext := context.WithValue(certContext, ctxUser, user)
|
|
|
|
next.ServeHTTP(w, r.WithContext(userContext))
|
|
})
|
|
}
|
|
|
|
func (app *application) GetUser(r *http.Request) (*models.User, error) {
|
|
user := r.Context().Value(ctxUser)
|
|
if user == nil {
|
|
return nil, errors.New("no user in context")
|
|
}
|
|
|
|
result, ok := user.(*models.User)
|
|
if !ok {
|
|
return nil, fmt.Errorf("%v is not a user", user)
|
|
}
|
|
|
|
return result, nil
|
|
}
|
|
|
|
func (app *application) HasRole(r *http.Request, roles ...models.RoleName) (bool, bool, error) {
|
|
user, err := app.GetUser(r)
|
|
if err != nil {
|
|
return false, false, err
|
|
}
|
|
|
|
if user == nil {
|
|
return false, false, nil
|
|
}
|
|
|
|
roleMatched, err := user.HasRole(roles...)
|
|
if err != nil {
|
|
return false, true, fmt.Errorf("could not determin user role assignment: %w", err)
|
|
}
|
|
|
|
if !roleMatched {
|
|
roleNames := make([]string, len(roles))
|
|
for idx := range roles {
|
|
roleNames[idx] = string(roles[idx])
|
|
}
|
|
|
|
app.errorLog.Printf(
|
|
"user %s does not have any of the required role(s) %s assigned",
|
|
user.Name,
|
|
strings.Join(roleNames, ", "),
|
|
)
|
|
|
|
return false, true, nil
|
|
}
|
|
|
|
return true, true, nil
|
|
}
|
|
|
|
func (app *application) requireRole(next http.Handler, roles ...models.RoleName) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
hasRole, hasUser, err := app.HasRole(r, roles...)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
|
|
if !hasUser {
|
|
app.clientError(w, http.StatusUnauthorized)
|
|
|
|
return
|
|
}
|
|
|
|
if !hasRole {
|
|
app.clientError(w, http.StatusForbidden)
|
|
|
|
return
|
|
}
|
|
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
|
|
func (app *application) userCanVote(next http.Handler) http.Handler {
|
|
return app.requireRole(next, models.RoleVoter)
|
|
}
|
|
|
|
func (app *application) userCanEditVote(next http.Handler) http.Handler {
|
|
return app.requireRole(next, models.RoleVoter)
|
|
}
|
|
|
|
func (app *application) canManageUsers(next http.Handler) http.Handler {
|
|
return app.requireRole(next, models.RoleSecretary, models.RoleAdmin)
|
|
}
|
|
|
|
func noSurf(next http.Handler) http.Handler {
|
|
csrfHandler := nosurf.New(next)
|
|
csrfHandler.SetBaseCookie(http.Cookie{
|
|
HttpOnly: true,
|
|
Path: "/",
|
|
Secure: true,
|
|
SameSite: http.SameSiteStrictMode,
|
|
})
|
|
|
|
return csrfHandler
|
|
}
|