aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2020-02-12 00:13:24 +0100
committerAlex Auvolat <alex@adnab.me>2020-02-12 00:13:24 +0100
commit3fbbe61a460b8d5415b61de505b4ac1ab8692b25 (patch)
treea1973b6e93c64bd968dc7130f3b38b5690efc322
parent7ca56ba8df6c936909e3fe64d8e22d6ece50e9b2 (diff)
downloadguichet-3fbbe61a460b8d5415b61de505b4ac1ab8692b25.tar.gz
guichet-3fbbe61a460b8d5415b61de505b4ac1ab8692b25.zip
Refactor is_admin check
-rw-r--r--admin.go16
-rw-r--r--guichet.hcl.example2
-rw-r--r--main.go40
-rw-r--r--templates/home.html4
4 files changed, 24 insertions, 38 deletions
diff --git a/admin.go b/admin.go
index ccfbe31..b480507 100644
--- a/admin.go
+++ b/admin.go
@@ -18,20 +18,8 @@ func checkAdminLogin(w http.ResponseWriter, r *http.Request) *LoginStatus {
return nil
}
- can_admin := (login.Info.DN == config.AdminAccount)
- fmt.Printf("%#v", login.UserEntry)
- for _, attr := range login.UserEntry.Attributes {
- if strings.EqualFold(attr.Name, "memberof") {
- for _, group := range attr.Values {
- if config.GroupCanAdmin != "" && group == config.GroupCanAdmin {
- can_admin = true
- }
- }
- }
- }
-
- if !can_admin {
- http.Redirect(w, r, "/", http.StatusFound)
+ if !login.CanAdmin {
+ http.Error(w, "Not authorized to perform administrative operations.", http.StatusUnauthorized)
return nil
}
diff --git a/guichet.hcl.example b/guichet.hcl.example
index e2f1791..7c702ae 100644
--- a/guichet.hcl.example
+++ b/guichet.hcl.example
@@ -12,7 +12,7 @@ job "guichet" {
task "server" {
driver = "docker"
config {
- image = "lxpz/guichet_amd64:3"
+ image = "lxpz/guichet_amd64:4"
readonly_rootfs = true
port_map {
web_port = 9991
diff --git a/main.go b/main.go
index 574ea21..da59552 100644
--- a/main.go
+++ b/main.go
@@ -136,6 +136,8 @@ type LoginStatus struct {
Info *LoginInfo
conn *ldap.Conn
UserEntry *ldap.Entry
+ CanAdmin bool
+ CanInvite bool
}
func logRequest(handler http.Handler) http.Handler {
@@ -195,7 +197,7 @@ func checkLogin(w http.ResponseWriter, r *http.Request) *LoginStatus {
}
requestKind := "(objectClass=organizationalPerson)"
- if login_info.DN == config.AdminAccount {
+ if strings.EqualFold(login_info.DN, config.AdminAccount) {
requestKind = "(objectclass=*)"
}
searchRequest := ldap.NewSearchRequest(
@@ -218,6 +220,21 @@ func checkLogin(w http.ResponseWriter, r *http.Request) *LoginStatus {
loginStatus.UserEntry = sr.Entries[0]
+ loginStatus.CanAdmin = strings.EqualFold(loginStatus.Info.DN, config.AdminAccount)
+ loginStatus.CanInvite = false
+ for _, attr := range loginStatus.UserEntry.Attributes {
+ if strings.EqualFold(attr.Name, "memberof") {
+ for _, group := range attr.Values {
+ if config.GroupCanInvite != "" && strings.EqualFold(group, config.GroupCanInvite) {
+ loginStatus.CanInvite = true
+ }
+ if config.GroupCanAdmin != "" && strings.EqualFold(group, config.GroupCanAdmin) {
+ loginStatus.CanAdmin = true
+ }
+ }
+ }
+ }
+
return loginStatus
}
@@ -244,8 +261,6 @@ func ldapOpen(w http.ResponseWriter) *ldap.Conn {
type HomePageData struct {
Login *LoginStatus
WelcomeName string
- CanAdmin bool
- CanInvite bool
BaseDN string
}
@@ -257,25 +272,8 @@ func handleHome(w http.ResponseWriter, r *http.Request) {
return
}
- can_admin := (login.Info.DN == config.AdminAccount)
- can_invite := false
- for _, attr := range login.UserEntry.Attributes {
- if strings.EqualFold(attr.Name, "memberof") {
- for _, group := range attr.Values {
- if config.GroupCanInvite != "" && group == config.GroupCanInvite {
- can_invite = true
- }
- if config.GroupCanAdmin != "" && group == config.GroupCanAdmin {
- can_admin = true
- }
- }
- }
- }
-
data := &HomePageData{
Login: login,
- CanAdmin: can_admin,
- CanInvite: can_invite,
BaseDN: config.BaseDN,
WelcomeName: login.UserEntry.GetAttributeValue("givenname"),
}
@@ -326,7 +324,7 @@ func handleLogin(w http.ResponseWriter, r *http.Request) *LoginInfo {
username := strings.Join(r.Form["username"], "")
password := strings.Join(r.Form["password"], "")
user_dn := fmt.Sprintf("%s=%s,%s", config.UserNameAttr, username, config.UserBaseDN)
- if username == config.AdminAccount {
+ if strings.EqualFold(username, config.AdminAccount) {
user_dn = username
}
diff --git a/templates/home.html b/templates/home.html
index 9a9773a..7f227e6 100644
--- a/templates/home.html
+++ b/templates/home.html
@@ -16,13 +16,13 @@
<div class="list-group list-group-flush">
<a class="list-group-item list-group-item-action" href="/profile">Modifier mon profil</a>
<a class="list-group-item list-group-item-action" href="/passwd">Modifier mon mot de passe</a>
- {{if .CanInvite}}
+ {{if .Login.CanInvite}}
<a class="list-group-item list-group-item-action" href="/invite">Inviter quelqu'un</a>
{{end}}
</div>
</div>
-{{if .CanAdmin}}
+{{if .Login.CanAdmin}}
<div class="card mt-3">
<div class="card-header">
Administration