-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathweb.go
More file actions
456 lines (408 loc) · 16.7 KB
/
Copy pathweb.go
File metadata and controls
456 lines (408 loc) · 16.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
package web
import (
"bytes"
"context"
"embed"
"fmt"
"html/template"
"io/fs"
"log/slog"
"net/http"
"sync"
"time"
"github.com/go-chi/chi/v5"
"github.com/forgekeep/nebula-mesh/internal/auth"
"github.com/forgekeep/nebula-mesh/internal/enrollment"
"github.com/forgekeep/nebula-mesh/internal/keystore"
"github.com/forgekeep/nebula-mesh/internal/pki"
"github.com/forgekeep/nebula-mesh/internal/ratelimit"
"github.com/forgekeep/nebula-mesh/internal/store"
)
//go:embed templates/*.html
var templateFS embed.FS
//go:embed static/*
var staticFS embed.FS
// Session exposes the underlying session manager so callers can wire up
// alternative login flows (e.g. OIDC) that need to issue sessions.
func (w *Web) Session() *SessionManager { return w.session }
// Web is the web UI handler.
type Web struct {
router chi.Router
store store.Store
templates map[string]*template.Template
logger *slog.Logger
session *SessionManager
oidc *OIDC
allowSelfRegistration bool
loginRecorder func(result, factor string)
events *EventBus
limiter *ratelimit.Limiter
passwordPolicy auth.Policy
caMaster *keystore.Master
caResolver *pki.CAResolver
enrollmentTokenTTL time.Duration
// apiKeyFlash holds freshly-minted operator API keys for one-shot
// display on the next operator-detail render. Closes GHSA-9pg3-25fq-p6cc
// by avoiding the raw token in the redirect URL. Keyed by the live
// session-cookie value so a refresh on a different browser sees nothing.
apiKeyFlashMu sync.Mutex
apiKeyFlash map[string]apiKeyFlashEntry
}
type apiKeyFlashEntry struct {
Key string
KeyName string
Expiry time.Time
}
const apiKeyFlashTTL = 5 * time.Minute
// WithPasswordPolicy installs the password policy used by registration
// and any future self-service password change. Defaults to auth.Default()
// when never called.
func (w *Web) WithPasswordPolicy(p auth.Policy) { w.passwordPolicy = p }
// WithRateLimiter wires a shared rate limiter so auth + UI routes pick
// up the same per-IP buckets the API server uses. nil disables limiting.
func (w *Web) WithRateLimiter(l *ratelimit.Limiter) {
w.limiter = l
w.setupRoutes()
}
// WithCAResolver wires a CA resolver for mobile bundle generation.
func (w *Web) WithCAResolver(r *pki.CAResolver) {
w.caResolver = r
}
// WithEnrollmentTokenTTL sets the default enrollment-token TTL applied to
// agent hosts created through the Web UI when no per-network override exists.
// Mirrors the API server's setter so both host-creation paths honor the same
// operator-configured lifetime policy. A non-positive ttl is ignored, leaving
// the resolver's built-in default in place. Closes GHSA-g4x6-jcvr-9m3g.
func (w *Web) WithEnrollmentTokenTTL(ttl time.Duration) {
if ttl > 0 {
w.enrollmentTokenTTL = ttl
}
}
// tokenTTLFor resolves the enrollment-token TTL for networkID via the shared
// enrollment policy resolver, identical to the API server path.
func (w *Web) tokenTTLFor(ctx context.Context, networkID string) time.Duration {
return enrollment.TokenTTL(ctx, w.store, w.enrollmentTokenTTL, networkID)
}
// noStore tells the browser not to cache UI responses. Without this Chrome
// will sometimes serve a stale page from bfcache after a 303 redirect lands
// back on the same URL, so freshly created networks / hosts only appear
// after a hard reload.
func (w *Web) noStore(next http.Handler) http.Handler {
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
rw.Header().Set("Cache-Control", "no-store")
next.ServeHTTP(rw, r)
})
}
// rateLimitMiddleware blocks requests for ip+group when the bucket is
// drained. Audit log calls are made by the handler when the request is
// admitted; rate-limited refusals only emit the 429 + Retry-After here.
func (w *Web) rateLimitMiddleware(group string) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
if w.limiter == nil {
next.ServeHTTP(rw, r)
return
}
ip := w.limiter.ClientIP(r)
ok, retry := w.limiter.Allow(ip, group)
if !ok {
masked := ratelimit.MaskIP(ip)
_ = w.store.AddAuditEntry(r.Context(), "anonymous", "auth.rate_limited", masked, "route="+group)
ratelimit.WriteRetryAfter(rw, retry)
return
}
next.ServeHTTP(rw, r)
})
}
}
// WithLoginRecorder wires an external sink (typically the API server's
// Prometheus metrics) that observes the outcome of every UI login attempt.
// Must be set before ServeHTTP is invoked. Passing nil disables recording.
func (w *Web) WithLoginRecorder(f func(result, factor string)) {
w.loginRecorder = f
}
// recordLogin is a nil-safe convenience wrapper used by the login handlers.
func (w *Web) recordLogin(result, factor string) {
if w.loginRecorder != nil {
w.loginRecorder(result, factor)
}
}
// AllowSelfRegistration enables the public /ui/register flow. Must be set
// before ServeHTTP is invoked. Default is false.
func (w *Web) AllowSelfRegistration(allow bool) { w.allowSelfRegistration = allow }
// WithCookieSecure threads the resolved cookie-secure flag through to the
// session manager and (if attached) OIDC. Call after WithOIDC so the OIDC
// state cookie picks up the same flag. Closes GHSA-rqfj-vv8r-xhqc.
func (w *Web) WithCookieSecure(secure bool) {
w.session.SetCookieSecure(secure)
w.oidc.SetCookieSecure(secure) // nil-safe inside SetCookieSecure
}
// WithOIDC attaches an OIDC provider and registers its login/callback routes.
// Must be called before ServeHTTP is invoked.
func (w *Web) WithOIDC(o *OIDC) {
w.oidc = o
if o == nil {
return
}
// Wire the auto-provision callback so OIDC can create default CA
// for new user-role operators on their first login.
o.provisionCA = w.provisionDefaultCA
// Both OIDC routes share the auth rate-limit bucket. /ui/oidc/login is
// unauthenticated and allocates server-side state per hit, so without a
// limiter an anonymous client could flood it and grow the in-memory state
// map for the full TTL window (GHSA-m3cx-mwpg-32jg). The handler also caps
// the map as a second line of defense.
w.router.With(w.rateLimitMiddleware("auth")).Get("/ui/oidc/login", o.HandleLogin)
w.router.With(w.rateLimitMiddleware("auth")).Get("/ui/oidc/callback", o.HandleCallback)
}
// New creates a new Web UI handler.
func New(s store.Store, logger *slog.Logger) (*Web, error) {
w := &Web{
store: s,
logger: logger,
session: NewSessionManager(s),
templates: make(map[string]*template.Template),
passwordPolicy: auth.Default(),
}
// Parse each page template with layout
pages := []string{
"dashboard.html",
"hosts.html",
"host_new.html",
"host_edit.html",
"host_detail.html",
"host_mobile_bundle.html",
"networks.html",
"twofa.html",
"profile.html",
"settings.html",
"operators_list.html",
"operator_new.html",
"operator_detail.html",
"cas_list.html",
"ca_new.html",
"ca_detail.html",
}
funcMap := template.FuncMap{
"deref": func(p *bool) bool {
if p == nil {
return false
}
return *p
},
// Stub functions for CSRF token injection; overridden per-request in renderWithStatus.
// Render helper (renderWithStatus) clones the template and replaces these with per-request closures.
"csrfToken": func() string { return "" },
"csrfField": func() template.HTML { return "" },
}
for _, page := range pages {
files := []string{"templates/layout.html", "templates/" + page}
// dashboard.html references the "stats" partial via {{template "stats" .}}
if page == "dashboard.html" {
files = append(files, "templates/stats_partial.html")
}
tmpl, err := template.New("").Funcs(funcMap).ParseFS(templateFS, files...)
if err != nil {
return nil, fmt.Errorf("parse template %s: %w", page, err)
}
w.templates[page] = tmpl
}
// Login pages are standalone (no layout)
for _, page := range []string{"login.html", "login_totp.html", "register.html"} {
tmpl, err := template.New("").Funcs(funcMap).ParseFS(templateFS, "templates/"+page)
if err != nil {
return nil, fmt.Errorf("parse %s: %w", page, err)
}
w.templates[page] = tmpl
}
// Standalone partial for HTMX polling — rendered without layout so the
// `every 30s` swap on .stats-grid does not embed a whole new sidebar +
// dashboard inside the existing one.
partial, err := template.New("").Funcs(funcMap).ParseFS(templateFS, "templates/stats_partial.html")
if err != nil {
return nil, fmt.Errorf("parse stats_partial.html: %w", err)
}
w.templates["stats_partial.html"] = partial
w.setupRoutes()
return w, nil
}
// maxBodySize caps request bodies for the web router. A declared
// Content-Length over the limit is rejected up front with 413; bodies without
// a declared length are wrapped with http.MaxBytesReader so a chunked upload
// still cannot exceed the cap. Closes the gap where unauthenticated /ui form
// POSTs (login/register) had no limit (#185).
func (w *Web) maxBodySize(maxBytes int64) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
if r.ContentLength > maxBytes {
http.Error(rw, "request body too large", http.StatusRequestEntityTooLarge)
return
}
if r.Body != nil {
r.Body = http.MaxBytesReader(rw, r.Body, maxBytes)
}
next.ServeHTTP(rw, r)
})
}
}
func (w *Web) setupRoutes() {
r := chi.NewRouter()
// Cap request bodies on every /ui route (#185). The web router serves
// unauthenticated form POSTs (/ui/login, /ui/register); without a limit,
// ParseForm reads the whole body into memory, so an unauthenticated client
// could exhaust RAM. Mirrors the API server's maxBodySize.
r.Use(w.maxBodySize(1 << 20))
// Static files
staticSub, _ := fs.Sub(staticFS, "static")
r.Handle("/static/*", http.StripPrefix("/static/", http.FileServer(http.FS(staticSub))))
// Favicon (public, served from embedded SVG)
r.Get("/favicon.ico", w.handleFavicon)
// Bare root redirects to the dashboard so first-time visitors land on /ui/
// instead of a 404. Per issue #69, the catch-all mux now sends "/" to the
// Web UI; this redirect keeps existing /ui/ links and bookmarks canonical
// instead of switching every UI URL to bare root in one go.
r.Get("/", func(rw http.ResponseWriter, req *http.Request) {
http.Redirect(rw, req, "/ui/", http.StatusFound)
})
// CSRF middleware wraps all /ui/* endpoints (including pre-auth endpoints)
// to validate mutating requests. Double-submit cookie pattern: GET requests
// set the _csrf cookie; mutating requests validate token from cookie vs form/header.
r.Group(func(r chi.Router) {
r.Use(w.csrfMiddleware)
// Login (public). Auth-group rate limit only on the form submissions
// — GET pages render the form and a 429 there would just confuse
// legitimate users who haven't yet pressed Submit.
r.Get("/ui/login", w.handleLoginPage)
r.With(w.rateLimitMiddleware("auth")).Post("/ui/login", w.handleLogin)
r.Get("/ui/login/totp", w.handleTOTPLoginPage)
r.With(w.rateLimitMiddleware("auth")).Post("/ui/login/totp", w.handleTOTPLogin)
r.Get("/ui/register", w.handleRegisterPage)
r.With(w.rateLimitMiddleware("auth")).Post("/ui/register", w.handleRegister)
// Protected routes
r.Group(func(r chi.Router) {
r.Use(w.rateLimitMiddleware("ui"))
r.Use(w.requireAuth)
r.Use(w.noStore)
r.Get("/ui/", w.handleDashboard)
r.Get("/ui/hosts", w.handleHosts)
r.Get("/ui/hosts/new", w.handleHostNew)
r.Post("/ui/hosts", w.handleHostCreate)
r.Get("/ui/hosts/{id}", w.handleHostDetail)
r.Get("/ui/hosts/{id}/edit", w.handleHostEdit)
r.Post("/ui/hosts/{id}/edit", w.handleHostUpdate)
r.Post("/ui/hosts/{id}/mobile-bundle/generate", w.handleGenerateMobileBundle)
r.Post("/ui/hosts/{id}/block", w.handleHostBlock)
r.Delete("/ui/hosts/{id}", w.handleHostDelete)
r.Get("/ui/networks", w.handleNetworks)
r.Post("/ui/networks", w.handleNetworkCreate)
r.Get("/ui/profile", w.handleProfilePage)
r.Post("/ui/profile/change-password", w.handleChangePassword)
r.Get("/ui/2fa", w.handleTwoFAPage)
r.Get("/ui/2fa/required", w.handleTwoFARequired)
r.Get("/ui/settings", w.handleSettingsPage)
r.Post("/ui/settings", w.handleSettingsSave)
// Admin-only operator + API-key management (issue #45).
r.Group(func(r chi.Router) {
r.Use(w.requireAdmin)
r.Get("/ui/operators", w.handleOperatorsList)
r.Get("/ui/operators/new", w.handleOperatorNewPage)
r.Post("/ui/operators", w.handleOperatorCreate)
r.Get("/ui/operators/{id}", w.handleOperatorDetail)
r.Post("/ui/operators/{id}/disable", w.handleOperatorDisable)
r.Post("/ui/operators/{id}/enable", w.handleOperatorEnable)
r.Post("/ui/operators/{id}/reset-password", w.handleOperatorResetPassword)
r.Post("/ui/operators/{id}/api-keys", w.handleOperatorCreateAPIKey)
r.Post("/ui/operators/{id}/api-keys/{kid}/revoke", w.handleOperatorRevokeAPIKey)
})
// Per-operator CA management (issue #46). Available to every
// authenticated operator; non-admins only see / act on the CAs
// they own — enforced server-side by loadAccessibleCA.
r.Get("/ui/cas", w.handleCAsList)
r.Get("/ui/cas/new", w.handleCANewPage)
r.Post("/ui/cas", w.handleCACreate)
r.Get("/ui/cas/{id}", w.handleCADetail)
r.Post("/ui/cas/{id}/retire", w.handleCARetire)
r.Post("/ui/cas/{id}/rotate", w.handleCARotate)
r.Post("/ui/cas/{id}/delete", w.handleCADelete)
r.Post("/ui/2fa/setup", w.handleTwoFASetup)
r.Post("/ui/2fa/enable", w.handleTwoFAEnable)
r.Post("/ui/2fa/disable", w.handleTwoFADisable)
r.Post("/ui/2fa/recovery-codes", w.handleTwoFARegenCodes)
r.Get("/ui/partials/stats", w.handlePartialStats)
r.Get("/ui/events", w.handleHostEvents)
r.Post("/ui/logout", w.handleLogout)
})
})
w.router = r
}
// StartSessionCleanup starts periodic removal of expired sessions.
// Stops when ctx is canceled.
func (w *Web) StartSessionCleanup(ctx context.Context) {
w.session.StartCleanup(ctx, 1*time.Hour)
}
// ServeHTTP implements http.Handler.
func (w *Web) ServeHTTP(rw http.ResponseWriter, r *http.Request) {
w.router.ServeHTTP(rw, r)
}
// renderForRequest renders a template with the current operator (if any)
// injected as `.CurrentUser`, so the shared layout can show the profile chip
// without each handler having to pass it explicitly. Standalone login /
// register pages take this path too — the field is just unused there.
func (w *Web) renderForRequest(rw http.ResponseWriter, r *http.Request, name string, data map[string]any) {
w.renderForRequestWithStatus(rw, r, 0, name, data)
}
// renderForRequestWithStatus is renderForRequest with an explicit HTTP
// status code (e.g. 400 for form validation errors). status=0 means "leave
// it to net/http" (defaults to 200).
func (w *Web) renderForRequestWithStatus(rw http.ResponseWriter, r *http.Request, status int, name string, data map[string]any) {
if data == nil {
data = map[string]any{}
}
if _, present := data["CurrentUser"]; !present {
data["CurrentUser"] = w.session.CurrentOperator(r)
}
w.renderWithStatus(r.Context(), rw, status, name, data)
}
func (w *Web) renderWithStatus(ctx context.Context, rw http.ResponseWriter, status int, name string, data map[string]any) {
tmpl, ok := w.templates[name]
if !ok {
w.logger.Error("template not found", "template", name)
http.Error(rw, "Internal Server Error", http.StatusInternalServerError)
return
}
// For pages with layout, execute "layout.html"; for standalone pages, execute the file directly
execName := "layout.html"
if name == "login.html" || name == "login_totp.html" || name == "register.html" {
execName = name
}
if name == "stats_partial.html" {
execName = "stats"
}
var buf bytes.Buffer
// Clone template and inject per-request CSRF token closures.
// The closures capture the current request context to retrieve the token set by csrfMiddleware.
clonedTmpl, err := tmpl.Clone()
if err != nil {
w.logger.Error("clone template", "template", name, "error", err)
http.Error(rw, "Internal Server Error", http.StatusInternalServerError)
return
}
// Register per-request FuncMap closures that capture the token from the request context.
token := tokenFromContext(ctx)
clonedTmpl.Funcs(template.FuncMap{
"csrfToken": func() string { return token },
"csrfField": func() template.HTML { return csrfFieldHTML(token) },
})
if err := clonedTmpl.ExecuteTemplate(&buf, execName, data); err != nil {
w.logger.Error("render template", "template", name, "error", err)
http.Error(rw, "Internal Server Error", http.StatusInternalServerError)
return
}
rw.Header().Set("Content-Type", "text/html; charset=utf-8")
if status != 0 {
rw.WriteHeader(status)
}
if _, err := buf.WriteTo(rw); err != nil {
w.logger.Error("write response", "template", name, "error", err)
}
}