Kyle Isom
5a1f4f5837
- Change dashboard route from adminGet to authed middleware
- Show account counts and audit events only for admin users
- Show welcome message for non-admin authenticated users
Security: non-admin users cannot access account lists or audit
events; admin-only data is gated by claims.HasRole("admin") in
the handler, not just at the route level.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
705 lines
25 KiB
Go
705 lines
25 KiB
Go
// Package ui provides the HTMX-based management web interface for MCIAS.
|
|
//
|
|
// Security design:
|
|
// - Session tokens are stored as HttpOnly, Secure, SameSite=Strict cookies.
|
|
// They are never accessible to JavaScript.
|
|
// - CSRF protection uses the HMAC-signed Double-Submit Cookie pattern.
|
|
// The mcias_csrf cookie is non-HttpOnly so HTMX can include it in the
|
|
// X-CSRF-Token header on every mutating request. SameSite=Strict is the
|
|
// primary browser-level CSRF defence.
|
|
// - UI handlers call internal Go functions directly — no internal HTTP round-trips.
|
|
// - All templates are parsed once at startup via embed.FS; no dynamic template
|
|
// loading from disk at request time.
|
|
package ui
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/ed25519"
|
|
"crypto/rand"
|
|
"encoding/hex"
|
|
"encoding/json"
|
|
"fmt"
|
|
"html/template"
|
|
"io/fs"
|
|
"log/slog"
|
|
"net"
|
|
"net/http"
|
|
"sync"
|
|
"time"
|
|
|
|
"git.wntrmute.dev/kyle/mcias/internal/auth"
|
|
"git.wntrmute.dev/kyle/mcias/internal/config"
|
|
"git.wntrmute.dev/kyle/mcias/internal/db"
|
|
"git.wntrmute.dev/kyle/mcias/internal/middleware"
|
|
"git.wntrmute.dev/kyle/mcias/internal/model"
|
|
"git.wntrmute.dev/kyle/mcias/web"
|
|
)
|
|
|
|
const (
|
|
sessionCookieName = "mcias_session"
|
|
csrfCookieName = "mcias_csrf"
|
|
totpNonceTTL = 90 * time.Second // single-use TOTP step nonce lifetime
|
|
totpNonceBytes = 16 // 128 bits of entropy
|
|
)
|
|
|
|
// pendingLogin is a short-lived record created after password verification
|
|
// succeeds but before TOTP confirmation. It holds the account ID so the
|
|
// TOTP step never needs to re-transmit the password.
|
|
//
|
|
// Security: the nonce is single-use (deleted on first lookup) and expires
|
|
// after totpNonceTTL to bound the window of a stolen nonce.
|
|
type pendingLogin struct {
|
|
expiresAt time.Time
|
|
accountID int64
|
|
}
|
|
|
|
// UIServer serves the HTMX-based management UI.
|
|
type UIServer struct {
|
|
pendingLogins sync.Map // nonce (string) → *pendingLogin
|
|
tmpls map[string]*template.Template // page name → template set
|
|
db *db.DB
|
|
cfg *config.Config
|
|
logger *slog.Logger
|
|
csrf *CSRFManager
|
|
pubKey ed25519.PublicKey
|
|
privKey ed25519.PrivateKey
|
|
masterKey []byte
|
|
}
|
|
|
|
// issueTOTPNonce creates a random single-use nonce for the TOTP step and
|
|
// stores the account ID it corresponds to. Returns the hex-encoded nonce.
|
|
func (u *UIServer) issueTOTPNonce(accountID int64) (string, error) {
|
|
raw := make([]byte, totpNonceBytes)
|
|
if _, err := rand.Read(raw); err != nil {
|
|
return "", fmt.Errorf("ui: generate TOTP nonce: %w", err)
|
|
}
|
|
nonce := hex.EncodeToString(raw)
|
|
u.pendingLogins.Store(nonce, &pendingLogin{
|
|
accountID: accountID,
|
|
expiresAt: time.Now().Add(totpNonceTTL),
|
|
})
|
|
return nonce, nil
|
|
}
|
|
|
|
// consumeTOTPNonce looks up and deletes the nonce, returning the associated
|
|
// account ID. Returns (0, false) if the nonce is unknown or expired.
|
|
func (u *UIServer) consumeTOTPNonce(nonce string) (int64, bool) {
|
|
v, ok := u.pendingLogins.LoadAndDelete(nonce)
|
|
if !ok {
|
|
return 0, false
|
|
}
|
|
pl, ok2 := v.(*pendingLogin)
|
|
if !ok2 {
|
|
return 0, false
|
|
}
|
|
if time.Now().After(pl.expiresAt) {
|
|
return 0, false
|
|
}
|
|
return pl.accountID, true
|
|
}
|
|
|
|
// dummyHash returns the pre-computed Argon2id PHC hash for constant-time dummy
|
|
// verification when an account is unknown or inactive (F-07).
|
|
// Delegates to auth.DummyHash() which uses sync.Once for one-time computation.
|
|
func (u *UIServer) dummyHash() string {
|
|
return auth.DummyHash()
|
|
}
|
|
|
|
// New constructs a UIServer, parses all templates, and returns it.
|
|
// Returns an error if template parsing fails.
|
|
func New(database *db.DB, cfg *config.Config, priv ed25519.PrivateKey, pub ed25519.PublicKey, masterKey []byte, logger *slog.Logger) (*UIServer, error) {
|
|
csrf := newCSRFManager(masterKey)
|
|
|
|
funcMap := template.FuncMap{
|
|
"formatTime": func(t time.Time) string {
|
|
if t.IsZero() {
|
|
return ""
|
|
}
|
|
return t.UTC().Format("2006-01-02 15:04:05")
|
|
},
|
|
"truncateJTI": func(jti string) string {
|
|
if len(jti) > 8 {
|
|
return jti[:8]
|
|
}
|
|
return jti
|
|
},
|
|
"string": func(v interface{}) string {
|
|
switch s := v.(type) {
|
|
case model.AccountStatus:
|
|
return string(s)
|
|
case model.AccountType:
|
|
return string(s)
|
|
default:
|
|
return fmt.Sprintf("%v", v)
|
|
}
|
|
},
|
|
"hasRole": func(roles []string, role string) bool {
|
|
for _, r := range roles {
|
|
if r == role {
|
|
return true
|
|
}
|
|
}
|
|
return false
|
|
},
|
|
"not": func(b bool) bool { return !b },
|
|
// derefInt64 safely dereferences a *int64, returning 0 for nil.
|
|
// Used in templates to compare owner IDs without triggering nil panics.
|
|
"derefInt64": func(p *int64) int64 {
|
|
if p == nil {
|
|
return 0
|
|
}
|
|
return *p
|
|
},
|
|
// isPGCredOwner returns true when actorID and cred are both non-nil
|
|
// and actorID matches cred.OwnerID. Safe to call with nil arguments.
|
|
"isPGCredOwner": func(actorID *int64, cred *model.PGCredential) bool {
|
|
if actorID == nil || cred == nil || cred.OwnerID == nil {
|
|
return false
|
|
}
|
|
return *actorID == *cred.OwnerID
|
|
},
|
|
"add": func(a, b int) int { return a + b },
|
|
"sub": func(a, b int) int { return a - b },
|
|
"gt": func(a, b int) bool { return a > b },
|
|
"lt": func(a, b int) bool { return a < b },
|
|
"prettyJSON": func(s string) string {
|
|
var v json.RawMessage
|
|
if json.Unmarshal([]byte(s), &v) != nil {
|
|
return s
|
|
}
|
|
pretty, err := json.MarshalIndent(v, "", " ")
|
|
if err != nil {
|
|
return s
|
|
}
|
|
return string(pretty)
|
|
},
|
|
}
|
|
|
|
// Parse shared templates (base layout + all fragments) into a base set.
|
|
// Each page template is then parsed into a clone of this base set so that
|
|
// competing "content"/"title" definitions do not collide.
|
|
sharedFiles := []string{
|
|
"templates/base.html",
|
|
"templates/fragments/account_row.html",
|
|
"templates/fragments/account_status.html",
|
|
"templates/fragments/roles_editor.html",
|
|
"templates/fragments/token_list.html",
|
|
"templates/fragments/totp_step.html",
|
|
"templates/fragments/error.html",
|
|
"templates/fragments/audit_rows.html",
|
|
"templates/fragments/pgcreds_form.html",
|
|
"templates/fragments/tags_editor.html",
|
|
"templates/fragments/policy_row.html",
|
|
"templates/fragments/policy_form.html",
|
|
"templates/fragments/password_reset_form.html",
|
|
"templates/fragments/password_change_form.html",
|
|
}
|
|
base, err := template.New("").Funcs(funcMap).ParseFS(web.TemplateFS, sharedFiles...)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("ui: parse shared templates: %w", err)
|
|
}
|
|
|
|
// Each page template defines "content" and "title" blocks; parsing them
|
|
// into separate clones prevents the last-defined block from winning.
|
|
pageFiles := map[string]string{
|
|
"login": "templates/login.html",
|
|
"dashboard": "templates/dashboard.html",
|
|
"accounts": "templates/accounts.html",
|
|
"account_detail": "templates/account_detail.html",
|
|
"audit": "templates/audit.html",
|
|
"audit_detail": "templates/audit_detail.html",
|
|
"policies": "templates/policies.html",
|
|
"pgcreds": "templates/pgcreds.html",
|
|
"profile": "templates/profile.html",
|
|
}
|
|
tmpls := make(map[string]*template.Template, len(pageFiles))
|
|
for name, file := range pageFiles {
|
|
clone, cloneErr := base.Clone()
|
|
if cloneErr != nil {
|
|
return nil, fmt.Errorf("ui: clone base templates for %s: %w", name, cloneErr)
|
|
}
|
|
if _, parseErr := clone.ParseFS(web.TemplateFS, file); parseErr != nil {
|
|
return nil, fmt.Errorf("ui: parse page template %s: %w", name, parseErr)
|
|
}
|
|
tmpls[name] = clone
|
|
}
|
|
|
|
srv := &UIServer{
|
|
db: database,
|
|
cfg: cfg,
|
|
pubKey: pub,
|
|
privKey: priv,
|
|
masterKey: masterKey,
|
|
logger: logger,
|
|
csrf: csrf,
|
|
tmpls: tmpls,
|
|
}
|
|
|
|
// Security (DEF-02): launch a background goroutine to evict expired TOTP
|
|
// nonces from pendingLogins. consumeTOTPNonce deletes entries on use, but
|
|
// entries abandoned by users who never complete step 2 would otherwise
|
|
// accumulate indefinitely, enabling a memory-exhaustion attack.
|
|
go srv.cleanupPendingLogins()
|
|
|
|
return srv, nil
|
|
}
|
|
|
|
// cleanupPendingLogins periodically evicts expired entries from pendingLogins.
|
|
// It runs every 5 minutes, which is well within the 90-second nonce TTL, so
|
|
// stale entries are removed before they can accumulate to any significant size.
|
|
func (u *UIServer) cleanupPendingLogins() {
|
|
ticker := time.NewTicker(5 * time.Minute)
|
|
defer ticker.Stop()
|
|
for range ticker.C {
|
|
now := time.Now()
|
|
u.pendingLogins.Range(func(key, value any) bool {
|
|
pl, ok := value.(*pendingLogin)
|
|
if !ok || now.After(pl.expiresAt) {
|
|
u.pendingLogins.Delete(key)
|
|
}
|
|
return true
|
|
})
|
|
}
|
|
}
|
|
|
|
// Register attaches all UI routes to mux, wrapped with security headers.
|
|
// All UI responses (pages, fragments, redirects, static assets) carry the
|
|
// headers added by securityHeaders.
|
|
func (u *UIServer) Register(mux *http.ServeMux) {
|
|
// Build a dedicated child mux for all UI routes so that securityHeaders
|
|
// can be applied once as a wrapping middleware rather than per-route.
|
|
uiMux := http.NewServeMux()
|
|
|
|
// Static assets — serve from the web/static/ sub-directory of the embed.
|
|
staticSubFS, err := fs.Sub(web.StaticFS, "static")
|
|
if err != nil {
|
|
panic(fmt.Sprintf("ui: static sub-FS: %v", err))
|
|
}
|
|
uiMux.Handle("GET /static/", http.StripPrefix("/static/", http.FileServerFS(staticSubFS)))
|
|
|
|
// Redirect root to login.
|
|
uiMux.HandleFunc("GET /", func(w http.ResponseWriter, r *http.Request) {
|
|
if r.URL.Path == "/" {
|
|
http.Redirect(w, r, "/login", http.StatusFound)
|
|
return
|
|
}
|
|
http.NotFound(w, r)
|
|
})
|
|
|
|
// Security (DEF-01, DEF-03): apply the same per-IP rate limit as the REST
|
|
// /v1/auth/login endpoint, using the same proxy-aware IP extraction so
|
|
// the rate limit is applied to real client IPs behind a reverse proxy.
|
|
var trustedProxy net.IP
|
|
if u.cfg.Server.TrustedProxy != "" {
|
|
trustedProxy = net.ParseIP(u.cfg.Server.TrustedProxy)
|
|
}
|
|
loginRateLimit := middleware.RateLimit(10, 10, trustedProxy)
|
|
|
|
// Auth routes (no session required).
|
|
uiMux.HandleFunc("GET /login", u.handleLoginPage)
|
|
uiMux.Handle("POST /login", loginRateLimit(http.HandlerFunc(u.handleLoginPost)))
|
|
uiMux.HandleFunc("POST /logout", u.handleLogout)
|
|
|
|
// Protected routes.
|
|
//
|
|
// Security: three distinct access levels:
|
|
// - authed: any valid session cookie (authenticated user)
|
|
// - admin: authed + admin role in JWT claims (mutating admin ops)
|
|
// - adminGet: authed + admin role (read-only admin pages, no CSRF)
|
|
authed := u.requireCookieAuth
|
|
admin := func(h http.HandlerFunc) http.Handler {
|
|
return authed(u.requireAdminRole(u.requireCSRF(http.HandlerFunc(h))))
|
|
}
|
|
adminGet := func(h http.HandlerFunc) http.Handler {
|
|
return authed(u.requireAdminRole(http.HandlerFunc(h)))
|
|
}
|
|
|
|
uiMux.Handle("GET /dashboard", authed(http.HandlerFunc(u.handleDashboard)))
|
|
uiMux.Handle("GET /accounts", adminGet(u.handleAccountsList))
|
|
uiMux.Handle("POST /accounts", admin(u.handleCreateAccount))
|
|
uiMux.Handle("GET /accounts/{id}", adminGet(u.handleAccountDetail))
|
|
uiMux.Handle("PATCH /accounts/{id}/status", admin(u.handleUpdateAccountStatus))
|
|
uiMux.Handle("DELETE /accounts/{id}", admin(u.handleDeleteAccount))
|
|
uiMux.Handle("GET /accounts/{id}/roles/edit", adminGet(u.handleRolesEditForm))
|
|
uiMux.Handle("PUT /accounts/{id}/roles", admin(u.handleSetRoles))
|
|
uiMux.Handle("DELETE /token/{jti}", admin(u.handleRevokeToken))
|
|
uiMux.Handle("POST /accounts/{id}/token", admin(u.handleIssueSystemToken))
|
|
uiMux.Handle("PUT /accounts/{id}/pgcreds", admin(u.handleSetPGCreds))
|
|
uiMux.Handle("POST /accounts/{id}/pgcreds/access", admin(u.handleGrantPGCredAccess))
|
|
uiMux.Handle("DELETE /accounts/{id}/pgcreds/access/{grantee}", admin(u.handleRevokePGCredAccess))
|
|
uiMux.Handle("GET /pgcreds", adminGet(u.handlePGCredsList))
|
|
uiMux.Handle("POST /pgcreds", admin(u.handleCreatePGCreds))
|
|
uiMux.Handle("GET /audit", adminGet(u.handleAuditPage))
|
|
uiMux.Handle("GET /audit/rows", adminGet(u.handleAuditRows))
|
|
uiMux.Handle("GET /audit/{id}", adminGet(u.handleAuditDetail))
|
|
uiMux.Handle("GET /policies", adminGet(u.handlePoliciesPage))
|
|
uiMux.Handle("POST /policies", admin(u.handleCreatePolicyRule))
|
|
uiMux.Handle("PATCH /policies/{id}/enabled", admin(u.handleTogglePolicyRule))
|
|
uiMux.Handle("DELETE /policies/{id}", admin(u.handleDeletePolicyRule))
|
|
uiMux.Handle("PUT /accounts/{id}/tags", admin(u.handleSetAccountTags))
|
|
uiMux.Handle("PUT /accounts/{id}/password", admin(u.handleAdminResetPassword))
|
|
|
|
// Profile routes — accessible to any authenticated user (not admin-only).
|
|
uiMux.Handle("GET /profile", authed(http.HandlerFunc(u.handleProfilePage)))
|
|
uiMux.Handle("PUT /profile/password", authed(u.requireCSRF(http.HandlerFunc(u.handleSelfChangePassword))))
|
|
|
|
// Mount the wrapped UI mux on the parent mux. The "/" pattern acts as a
|
|
// catch-all for all UI paths; the more-specific /v1/ API patterns registered
|
|
// on the parent mux continue to take precedence per Go's routing rules.
|
|
mux.Handle("/", securityHeaders(uiMux))
|
|
}
|
|
|
|
// ---- Middleware ----
|
|
|
|
// requireCookieAuth validates the mcias_session cookie and injects claims.
|
|
// On failure, HTMX requests get HX-Redirect; browser requests get a redirect.
|
|
func (u *UIServer) requireCookieAuth(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
cookie, err := r.Cookie(sessionCookieName)
|
|
if err != nil || cookie.Value == "" {
|
|
u.redirectToLogin(w, r)
|
|
return
|
|
}
|
|
|
|
claims, err := validateSessionToken(u.pubKey, cookie.Value, u.cfg.Tokens.Issuer)
|
|
if err != nil {
|
|
u.clearSessionCookie(w)
|
|
u.redirectToLogin(w, r)
|
|
return
|
|
}
|
|
|
|
// Check revocation.
|
|
rec, err := u.db.GetTokenRecord(claims.JTI)
|
|
if err != nil || rec.IsRevoked() {
|
|
u.clearSessionCookie(w)
|
|
u.redirectToLogin(w, r)
|
|
return
|
|
}
|
|
|
|
ctx := contextWithClaims(r.Context(), claims)
|
|
next.ServeHTTP(w, r.WithContext(ctx))
|
|
})
|
|
}
|
|
|
|
// requireCSRF validates the CSRF token on mutating requests (POST/PUT/PATCH/DELETE).
|
|
// The token is read from X-CSRF-Token header (HTMX) or _csrf form field (fallback).
|
|
func (u *UIServer) requireCSRF(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
cookie, err := r.Cookie(csrfCookieName)
|
|
if err != nil || cookie.Value == "" {
|
|
http.Error(w, "CSRF cookie missing", http.StatusForbidden)
|
|
return
|
|
}
|
|
|
|
// Header takes precedence (HTMX sets it automatically via hx-headers on body).
|
|
formVal := r.Header.Get("X-CSRF-Token")
|
|
if formVal == "" {
|
|
// Fallback: parse form and read _csrf field.
|
|
// Security: limit body size to prevent memory exhaustion (gosec G120).
|
|
r.Body = http.MaxBytesReader(w, r.Body, maxFormBytes)
|
|
if parseErr := r.ParseForm(); parseErr == nil {
|
|
formVal = r.FormValue("_csrf")
|
|
}
|
|
}
|
|
|
|
if !u.csrf.Validate(cookie.Value, formVal) {
|
|
http.Error(w, "CSRF token invalid", http.StatusForbidden)
|
|
return
|
|
}
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
|
|
// requireAdminRole checks that the authenticated user holds the "admin" role.
|
|
// Must be placed after requireCookieAuth in the middleware chain so that
|
|
// claims are available in the context.
|
|
//
|
|
// Security: This is the authoritative server-side check that prevents
|
|
// non-admin users from accessing admin-only UI endpoints. The JWT claims
|
|
// are populated from the database at login/renewal and signed with the
|
|
// server's Ed25519 private key, so they cannot be forged client-side.
|
|
func (u *UIServer) requireAdminRole(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
claims := claimsFromContext(r.Context())
|
|
if claims == nil || !claims.HasRole("admin") {
|
|
u.renderError(w, r, http.StatusForbidden, "admin role required")
|
|
return
|
|
}
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
|
|
// ---- Helpers ----
|
|
|
|
// isHTMX reports whether the request was initiated by HTMX.
|
|
func isHTMX(r *http.Request) bool {
|
|
return r.Header.Get("HX-Request") == "true"
|
|
}
|
|
|
|
// redirectToLogin redirects to the login page, using HX-Redirect for HTMX.
|
|
func (u *UIServer) redirectToLogin(w http.ResponseWriter, r *http.Request) {
|
|
if isHTMX(r) {
|
|
w.Header().Set("HX-Redirect", "/login")
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
return
|
|
}
|
|
http.Redirect(w, r, "/login", http.StatusFound)
|
|
}
|
|
|
|
// clearSessionCookie expires the session cookie.
|
|
func (u *UIServer) clearSessionCookie(w http.ResponseWriter) {
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: sessionCookieName,
|
|
Value: "",
|
|
Path: "/",
|
|
MaxAge: -1,
|
|
HttpOnly: true,
|
|
Secure: true,
|
|
SameSite: http.SameSiteStrictMode,
|
|
})
|
|
}
|
|
|
|
// setCSRFCookies sets the mcias_csrf cookie and returns the header value to
|
|
// embed in the page/form.
|
|
func (u *UIServer) setCSRFCookies(w http.ResponseWriter) (string, error) {
|
|
cookieVal, headerVal, err := u.csrf.NewToken()
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: csrfCookieName,
|
|
Value: cookieVal,
|
|
Path: "/",
|
|
// Security: non-HttpOnly so that HTMX can embed it in hx-headers;
|
|
// SameSite=Strict is the primary CSRF defence for browser requests.
|
|
HttpOnly: false,
|
|
Secure: true,
|
|
SameSite: http.SameSiteStrictMode,
|
|
})
|
|
return headerVal, nil
|
|
}
|
|
|
|
// render executes the named template, writing the result to w.
|
|
// Renders to a buffer first so partial template failures don't corrupt output.
|
|
// For page templates (dashboard, accounts, etc.) the page-specific template set
|
|
// is used; for fragment templates the name is looked up across all sets.
|
|
func (u *UIServer) render(w http.ResponseWriter, name string, data interface{}) {
|
|
tmpl := u.templateFor(name)
|
|
if tmpl == nil {
|
|
u.logger.Error("template not found", "template", name)
|
|
http.Error(w, "internal server error", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
var buf bytes.Buffer
|
|
if err := tmpl.ExecuteTemplate(&buf, name, data); err != nil {
|
|
u.logger.Error("template render error", "template", name, "error", err)
|
|
http.Error(w, "internal server error", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
|
_, _ = w.Write(buf.Bytes())
|
|
}
|
|
|
|
// templateFor returns the template set that contains the named template.
|
|
// Page templates have a dedicated set; fragment templates exist in every set.
|
|
func (u *UIServer) templateFor(name string) *template.Template {
|
|
if t, ok := u.tmpls[name]; ok {
|
|
return t
|
|
}
|
|
// Fragment — available in any page set; pick the first one.
|
|
for _, t := range u.tmpls {
|
|
if t.Lookup(name) != nil {
|
|
return t
|
|
}
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// renderError returns an error response appropriate for the request type.
|
|
func (u *UIServer) renderError(w http.ResponseWriter, r *http.Request, status int, msg string) {
|
|
if isHTMX(r) {
|
|
w.Header().Set("Content-Type", "text/html; charset=utf-8")
|
|
w.WriteHeader(status)
|
|
_, _ = fmt.Fprintf(w, `<div class="alert alert-error" role="alert">%s</div>`, template.HTMLEscapeString(msg))
|
|
return
|
|
}
|
|
http.Error(w, msg, status)
|
|
}
|
|
|
|
// maxFormBytes limits the size of UI form submissions (1 MiB).
|
|
// Security: prevents memory exhaustion from oversized POST bodies (gosec G120).
|
|
const maxFormBytes = 1 << 20
|
|
|
|
// securityHeaders returns middleware that adds defensive HTTP headers to every
|
|
// UI response.
|
|
//
|
|
// Security rationale for each header:
|
|
// - Content-Security-Policy: restricts resource loading to same origin only,
|
|
// mitigating XSS escalation even if an attacker injects HTML (e.g. via a
|
|
// malicious stored username rendered in the admin panel).
|
|
// - X-Content-Type-Options: prevents MIME-sniffing; browsers must honour the
|
|
// declared Content-Type and not guess an executable type from body content.
|
|
// - X-Frame-Options: blocks the admin panel from being framed by a third-party
|
|
// origin, preventing clickjacking against admin actions.
|
|
// - Strict-Transport-Security: instructs browsers to use HTTPS for all future
|
|
// requests to this origin for two years, preventing TLS-strip on revisit.
|
|
// - Referrer-Policy: suppresses the Referer header on outbound navigations so
|
|
// JWTs or session identifiers embedded in URLs are not leaked to third parties.
|
|
func securityHeaders(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
h := w.Header()
|
|
h.Set("Content-Security-Policy",
|
|
"default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'")
|
|
h.Set("X-Content-Type-Options", "nosniff")
|
|
h.Set("X-Frame-Options", "DENY")
|
|
h.Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
|
|
h.Set("Referrer-Policy", "no-referrer")
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
|
|
// clientIP returns the real client IP for the request, respecting the
|
|
// server's trusted-proxy setting (DEF-03). Delegates to middleware.ClientIP
|
|
// so the same extraction logic is used for rate limiting and audit logging.
|
|
func (u *UIServer) clientIP(r *http.Request) string {
|
|
var proxyIP net.IP
|
|
if u.cfg.Server.TrustedProxy != "" {
|
|
proxyIP = net.ParseIP(u.cfg.Server.TrustedProxy)
|
|
}
|
|
return middleware.ClientIP(r, proxyIP)
|
|
}
|
|
|
|
// actorName resolves the username of the currently authenticated user from the
|
|
// request context. Returns an empty string if claims are absent or the account
|
|
// cannot be found; callers should treat an empty string as "not logged in".
|
|
func (u *UIServer) actorName(r *http.Request) string {
|
|
claims := claimsFromContext(r.Context())
|
|
if claims == nil {
|
|
return ""
|
|
}
|
|
acct, err := u.db.GetAccountByUUID(claims.Subject)
|
|
if err != nil {
|
|
return ""
|
|
}
|
|
return acct.Username
|
|
}
|
|
|
|
// ---- Page data types ----
|
|
|
|
// PageData is embedded in all page-level view structs.
|
|
type PageData struct {
|
|
CSRFToken string
|
|
Flash string
|
|
Error string
|
|
// ActorName is the username of the currently logged-in user, populated by
|
|
// handlers so the base template can display it in the navigation bar.
|
|
ActorName string
|
|
}
|
|
|
|
// LoginData is the view model for the login page.
|
|
type LoginData struct {
|
|
Error string
|
|
Username string // pre-filled on TOTP step
|
|
// Security (F-02): Password is no longer carried in the HTML form. Instead
|
|
// a short-lived server-side nonce is issued after successful password
|
|
// verification, and only the nonce is embedded in the TOTP step form.
|
|
Nonce string // single-use server-side nonce replacing the password hidden field
|
|
}
|
|
|
|
// DashboardData is the view model for the dashboard page.
|
|
type DashboardData struct {
|
|
PageData
|
|
IsAdmin bool
|
|
RecentEvents []*db.AuditEventView
|
|
TotalAccounts int
|
|
ActiveAccounts int
|
|
}
|
|
|
|
// AccountsData is the view model for the accounts list page.
|
|
type AccountsData struct {
|
|
PageData
|
|
Accounts []*model.Account
|
|
}
|
|
|
|
// AccountDetailData is the view model for the account detail page.
|
|
type AccountDetailData struct {
|
|
Account *model.Account
|
|
// PGCred is nil if none stored or the account is not a system account.
|
|
PGCred *model.PGCredential
|
|
// PGCredGrants lists accounts that have been granted read access to PGCred.
|
|
// Only populated when the viewing actor is the credential owner.
|
|
PGCredGrants []*model.PGCredAccessGrant
|
|
// GrantableAccounts is the list of accounts the owner may grant access to.
|
|
GrantableAccounts []*model.Account
|
|
// ActorID is the DB id of the currently logged-in user; used in templates
|
|
// to decide whether to show the owner-only management controls.
|
|
ActorID *int64
|
|
PageData
|
|
Roles []string
|
|
AllRoles []string
|
|
Tags []string
|
|
Tokens []*model.TokenRecord
|
|
}
|
|
|
|
// AuditData is the view model for the audit log page.
|
|
type AuditData struct {
|
|
PageData
|
|
FilterType string
|
|
Events []*db.AuditEventView
|
|
EventTypes []string
|
|
Total int64
|
|
TotalPages int
|
|
Page int
|
|
}
|
|
|
|
// AuditDetailData is the view model for a single audit event detail page.
|
|
type AuditDetailData struct {
|
|
Event *db.AuditEventView
|
|
PageData
|
|
}
|
|
|
|
// PolicyRuleView is a single policy rule prepared for template rendering.
|
|
type PolicyRuleView struct {
|
|
Description string
|
|
RuleJSON string
|
|
CreatedAt string
|
|
UpdatedAt string
|
|
NotBefore string // empty if not set
|
|
ExpiresAt string // empty if not set
|
|
ID int64
|
|
Priority int
|
|
Enabled bool
|
|
IsExpired bool // true if expires_at is in the past
|
|
IsPending bool // true if not_before is in the future
|
|
}
|
|
|
|
// PoliciesData is the view model for the policies list page.
|
|
type PoliciesData struct {
|
|
PageData
|
|
Rules []*PolicyRuleView
|
|
AllActions []string
|
|
}
|
|
|
|
// ProfileData is the view model for the profile/settings page.
|
|
type ProfileData struct {
|
|
PageData
|
|
}
|
|
|
|
// PGCredsData is the view model for the "My PG Credentials" list page.
|
|
// It shows all pg_credentials sets accessible to the currently logged-in user:
|
|
// those they own and those they have been granted access to.
|
|
// UncredentialedAccounts is the list of system accounts that have no credentials
|
|
// yet, populated to drive the "New Credentials" create form on the same page.
|
|
// CredGrants maps credential ID to the list of access grants for that credential;
|
|
// only populated for credentials the actor owns.
|
|
// AllAccounts is used to populate the grant-access dropdown for owned credentials.
|
|
// ActorID is the DB id of the currently logged-in user.
|
|
type PGCredsData struct {
|
|
CredGrants map[int64][]*model.PGCredAccessGrant
|
|
ActorID *int64
|
|
PageData
|
|
Creds []*model.PGCredential
|
|
UncredentialedAccounts []*model.Account
|
|
AllAccounts []*model.Account
|
|
}
|