MatrixGW/src/server/web_ui.rs

use crate::app_config::AppConfig;
use crate::constants::{STATE_KEY, USER_SESSION_KEY};
use crate::server::{HttpFailure, HttpResult};
use crate::user::{APIClient, APIClientID, User, UserConfig, UserID};
use crate::utils;
use actix_session::Session;
use actix_web::{web, HttpResponse};
use askama::Template;
use ipnet::IpNet;
use light_openid::primitives::OpenIDConfig;
use std::str::FromStr;

/// Static assets
#[derive(rust_embed::Embed)]
#[folder = "assets/"]
struct Assets;

/// Serve static file
pub async fn static_file(path: web::Path<String>) -> HttpResult {
    match Assets::get(path.as_ref()) {
        Some(content) => Ok(HttpResponse::Ok()
            .content_type(
                mime_guess::from_path(path.as_str())
                    .first_or_octet_stream()
                    .as_ref(),
            )
            .body(content.data.into_owned())),
        None => Ok(HttpResponse::NotFound().body("404 Not Found")),
    }
}

#[derive(askama::Template)]
#[template(path = "index.html")]
struct HomeTemplate {
    name: String,
    user_id: UserID,
    matrix_token: String,
    clients: Vec<APIClient>,
    success_message: Option<String>,
    error_message: Option<String>,
}

/// HTTP form request
#[derive(serde::Deserialize)]
pub struct FormRequest {
    /// Update matrix token
    new_matrix_token: Option<String>,

    /// Create a new client
    new_client_desc: Option<String>,

    /// Restrict new client to a given network
    ip_network: Option<String>,

    /// Grant read only access to client
    readonly_client: Option<String>,

    /// Delete a specified client id
    delete_client_id: Option<APIClientID>,
}

/// Main route
pub async fn home(session: Session, form_req: Option<web::Form<FormRequest>>) -> HttpResult {
    // Get user information, requesting authentication if information is missing
    let Some(user): Option<User> = session.get(USER_SESSION_KEY)? else {
        // Generate auth state
        let state = utils::rand_str(50);
        session.insert(STATE_KEY, &state)?;

        let oidc = AppConfig::get().openid_provider();
        let config = OpenIDConfig::load_from_url(oidc.configuration_url)
            .await
            .map_err(HttpFailure::OpenID)?;

        let auth_url = config.gen_authorization_url(oidc.client_id, &state, &oidc.redirect_url);

        return Ok(HttpResponse::Found()
            .append_header(("location", auth_url))
            .finish());
    };

    let mut success_message = None;
    let mut error_message = None;

    // Retrieve user configuration
    let mut config = UserConfig::load(&user.id, true)
        .await
        .map_err(HttpFailure::FetchUserConfig)?;

    if let Some(form_req) = form_req {
        // Update matrix token, if requested
        if let Some(t) = form_req.0.new_matrix_token {
            if t.len() < 3 {
                error_message = Some("Specified Matrix token is too short!".to_string());
            } else {
                // TODO : invalidate all existing connections
                config.matrix_token = t;
                config.save().await?;
                success_message = Some("Matrix token was successfully updated!".to_string());
            }
        }

        // Create a new client, if requested
        if let Some(new_token_desc) = form_req.0.new_client_desc {
            let ip_net = match form_req.0.ip_network.as_deref() {
                None | Some("") => None,
                Some(e) => match IpNet::from_str(e) {
                    Ok(n) => Some(n),
                    Err(e) => {
                        log::error!("Failed to parse IP network provided by user: {e}");
                        error_message = Some(format!("Failed to parse restricted IP network: {e}"));
                        None
                    }
                },
            };

            if error_message.is_none() {
                let mut token = APIClient::generate(new_token_desc, ip_net);
                token.readonly_client = form_req.0.readonly_client.is_some();
                success_message = Some(format!("The secret of your new token is '{}'. Be sure to write it somewhere as you will not be able to recover it later!", token.secret));
                config.clients.push(token);
                config.save().await?;
            }
        }

        // Delete a client
        if let Some(delete_client_id) = form_req.0.delete_client_id {
            config.clients.retain(|c| c.id != delete_client_id);
            config.save().await?;
            success_message = Some("The client was successfully deleted!".to_string());
            // TODO : close connections with given id
        }
    }

    // Render page
    Ok(HttpResponse::Ok()
        .insert_header(("content-type", "text/html"))
        .body(
            HomeTemplate {
                name: user.name,
                user_id: user.id,
                matrix_token: config.obfuscated_matrix_token(),
                clients: config.clients,
                success_message,
                error_message,
            }
            .render()
            .unwrap(),
        ))
}

#[derive(serde::Deserialize)]
pub struct AuthCallbackQuery {
    code: String,
    state: String,
}

/// Authenticate user callback
pub async fn oidc_cb(session: Session, query: web::Query<AuthCallbackQuery>) -> HttpResult {
    if session.get(STATE_KEY)? != Some(query.state.to_string()) {
        return Ok(HttpResponse::BadRequest()
            .append_header(("content-type", "text/html"))
            .body("State mismatch! <a href='/'>Try again</a>"));
    }

    let oidc = AppConfig::get().openid_provider();
    let config = OpenIDConfig::load_from_url(oidc.configuration_url)
        .await
        .map_err(HttpFailure::OpenID)?;

    let (token, _) = match config
        .request_token(
            oidc.client_id,
            oidc.client_secret,
            &query.code,
            &oidc.redirect_url,
        )
        .await
    {
        Ok(t) => t,
        Err(e) => {
            log::error!("Failed to request user token! {e}");

            return Ok(HttpResponse::BadRequest()
                .append_header(("content-type", "text/html"))
                .body("Authentication failed! <a href='/'>Try again</a>"));
        }
    };

    let (user, _) = config
        .request_user_info(&token)
        .await
        .map_err(HttpFailure::OpenID)?;

    let user = User {
        id: UserID(user.sub),
        name: user.name.unwrap_or("no_name".to_string()),
        email: user.email.unwrap_or("no@mail.com".to_string()),
    };
    log::info!("Successful authentication as {:?}", user);
    session.insert(USER_SESSION_KEY, user)?;

    Ok(HttpResponse::Found()
        .insert_header(("location", "/"))
        .finish())
}

/// De-authenticate user
pub async fn sign_out(session: Session) -> HttpResult {
    session.remove(USER_SESSION_KEY);

    Ok(HttpResponse::Found()
        .insert_header(("location", "/"))
        .finish())
}