google · google-oss-robot · Sep 1, 2020 · Aug 31, 2020 · Aug 31, 2020 · Sep 1, 2020
@@ -0,0 +1,122 @@
+{{define "admin/newrealm"}}
+
+{{$realm := .realm}}
+
+<!doctype html>
+<html lang="en">
+<head>
+  {{template "head" .}}
+</head>
+
+<body>
+  {{template "navbar" .}}
+
+  <main role="main" class="container">
+    {{template "flash" .}}
+
+    <h1>New realm</h1>
+    <p>
+      Use the form below to create a new realm.
+    </p>
+
+    <div class="card mb-3">
+      <div class="card-header">Details</div>
+      <div class="card-body">
+        <form method="POST" action="/admin/realms/create">
+          {{ .csrfField }}
+
+          <div class="form-group row">
+            <label for="name" class="col-sm-3">Name:</label>
+            <div class="col-sm-9">
+              <input type="text" id="name" name="name" class="form-control{{if $realm.ErrorsFor "name"}} is-invalid{{end}}" value="{{$realm.Name}}" />
+              {{if $realm.ErrorsFor "name"}}
+              <div class="invalid-feedback">
+                {{joinStrings ($realm.ErrorsFor "name") ", "}}
+              </div>
+              {{end}}
+            </div>
+          </div>
+
+          <div class="form-group row">
+            <label for="name" class="col-sm-3">Region code:</label>
+            <div class="col-sm-9">
+              <input type="text" id="regionCode" name="regionCode" class="form-control{{if $realm.ErrorsFor "regionCode"}} is-invalid{{end}}" value="{{$realm.RegionCode}}" />
+              {{if $realm.ErrorsFor "regionCode"}}
+              <div class="invalid-feedback">
+                {{joinStrings ($realm.ErrorsFor "regionCode") ", "}}
+              </div>
+              {{end}}
+              <small class="form-text text-muted">
+                Used in creating deep link SMS for multi-helath authority apps. Region should
+                be <a href="https://en.wikipedia.org/wiki/List_of_ISO_3166_country_codes">ISO 3166-1 country codes and ISO 3166-2 subdivision codes</a> where applicable.
+                For example, Washington State would be <code>US-WA</code>.
+              </small>
+            </div>
+          </div>
+
+          {{if .supportsPerRealmSigning}}
+          <div class="form-group row">
+            <label for="type" class="col-sm-3">Certificate signing keys:</label>
+            <div class="col-sm-9">
+              <select class="form-control{{if $realm.ErrorsFor "UseRealmCertificateKey"}} is-invalid{{end}}" name="useRealmCertificateKey" id="useRealmCertificateKey">
+                <option value="true" {{if $realm.UseRealmCertificateKey}}selected{{end}}>Create realm specific signing key</option>
+                <option value="false" {{if not $realm.UseRealmCertificateKey}}selected{{end}}>Use system signing key</option>
+              </select>
+              {{if $realm.ErrorsFor "UseRealmCertificateKey"}}
+              <div class="invalid-feedback">
+                {{joinStrings ($realm.ErrorsFor "UseRealmCertificateKey") ", "}}
+              </div>
+              {{end}}
+              <small class="form-text text-muted">
+                It is recommended that you create a realm specific signing key when creating a new realm. However, it
+                is important to note that this once a realm is created, you cannot switch back to using the system
+                signing key.
+              </small>
+            </div>
+          </div>
+
+          <div class="form-group row">
+            <label for="name" class="col-sm-3">Issuer (iss):</label>
+            <div class="col-sm-9">
+              <input type="text" id="certificateIssuer" name="certificateIssuer" class="form-control{{if $realm.ErrorsFor "certificateIssuer"}} is-invalid{{end}}" value="{{$realm.CertificateIssuer}}" />
+              {{if $realm.ErrorsFor "certificateIssuer"}}
+                <div class="invalid-feedback">
+                  {{joinStrings ($realm.ErrorsFor "certificateIssuer") ", "}}
+                </div>
+              {{end}}
+              <small class="form-text text-muted">
+                This value is specific to the health authority.<br/>After created using realm specific keys, this field cannot be changed.
+              </small>
+            </div>
+          </div>
+          <div class="form-group row">
+            <label for="name" class="col-sm-3">Audience (aud):</label>
+            <div class="col-sm-9">
+              <input type="text" id="certificateAudiance" name="certificateAudiance" class="form-control{{if $realm.ErrorsFor "certificateAudience"}} is-invalid{{end}}" value="{{$realm.CertificateAudience}}" />
+              {{if $realm.ErrorsFor "certificateAudience"}}
+                <div class="invalid-feedback">
+                  {{joinStrings ($realm.ErrorsFor "certificateAudience") ", "}}
+                </div>
+              {{end}}
+              <small class="form-text text-muted">
+                The audience (<tt>aud</tt>) value is provided the <em>key server</em> operator.<br/>
+                After upgrading to use realm specific keys, this field cannot be changed.
+              </small>
+            </div>
+          </div>
+          {{end}}
+
+          <div class="form-group row">
+            <div class="offset-sm-3 col-sm-9">
+              <button type="submit" class="btn btn-primary btn-block">Create realm</button>
+            </div>
+          </div>
+        </form>
+      </div>
+    </div>
+  </main>
+
+  {{template "scripts" .}}
+</body>
+</html>
+{{end}}
@@ -0,0 +1,53 @@
+{{define "admin/realms"}}
+
+<!doctype html>
+<html lang="en">
+<head>
+  {{template "head" .}}
+</head>
+
+<body>
+  {{template "navbar" .}}
+
+  <main role="main" class="container">
+    {{template "flash" .}}
+
+    <h1>Realms</h1>
+    <p>
+       These are the currently available realms. You can also <a href="/admin/realms/create">create a new realm</a>.
+    </p>
+
+    {{if .realms}}
+    <div class="table-responsive">
+      <table class="table table-bordered table-striped">
+        <thead>
+          <tr>
+            <th scope="col">Name</th>
+            <th scope="col" width="25">Region code</th>
+            <th scope="col" width="50">Signing key</th>
+          </tr>
+        </thead>
+        <tbody>
+        {{range .realms}}
+          <tr>
+              <td>{{.Name}}</td>
+              <td>{{.RegionCode}}</td>
+              <td>
+                  {{if .UseRealmCertificateKey}}Realm{{else}}System{{end}}
+              </td>
+          </tr>
+        {{end}}
+        </tbody>
+      </table>
+    </div>
+    {{else}}
+    <p class="text-center">
+      <em>There are no realms.</em>
+    </p>
+    {{end}}
+  </main>
+
+  {{template "scripts" .}}
+</body>
+</html>
+{{end}}
@@ -189,6 +189,12 @@ <h6 class="dropdown-header">Manage realm</h6>
               {{end}}
               {{end}}
 
+              {{if .currentUser.Admin}}
+              <h6 class="dropdown-header">System admin</h6>
+              <a class="dropdown-item" href="/admin/realms">Realms</a>
+              <div class="dropdown-divider"></div>
+              {{end}}
+
               <h6 class="dropdown-header">Actions</h6>
               {{if gt (len .currentUser.Realms) 1}}
               <a class="dropdown-item" href="/realm">Change realm</a>

@@ -26,6 +26,7 @@ import (
 	"github.com/google/exposure-notifications-verification-server/pkg/cache"
 	"github.com/google/exposure-notifications-verification-server/pkg/config"
 	"github.com/google/exposure-notifications-verification-server/pkg/controller"
+	"github.com/google/exposure-notifications-verification-server/pkg/controller/admin"
 	"github.com/google/exposure-notifications-verification-server/pkg/controller/apikey"
 	"github.com/google/exposure-notifications-verification-server/pkg/controller/codestatus"
 	"github.com/google/exposure-notifications-verification-server/pkg/controller/home"
@@ -180,6 +181,7 @@ func realMain(ctx context.Context) error {
 	requireVerified := middleware.RequireVerified(ctx, auth, db, h, config.SessionDuration)
 	requireAdmin := middleware.RequireRealmAdmin(ctx, h)
 	requireRealm := middleware.RequireRealm(ctx, cacher, db, h)
+	requireSystemAdmin := middleware.RequireAdmin(ctx, h)
 	rateLimit := httplimiter.Handle
 
 	{
@@ -336,6 +338,20 @@ func realMain(ctx context.Context) error {
 		jwksSub.Handle("/{realm}", jwksController.HandleIndex()).Methods("GET")
 	}
 
+	// System admin.
+	{
+		adminSub := r.PathPrefix("/admin").Subrouter()
+		adminSub.Use(requireAuth)
+		adminSub.Use(requireVerified)
+		adminSub.Use(requireSystemAdmin)
+		adminSub.Use(rateLimit)
+
+		adminController := admin.New(ctx, config, cacher, db, h)
+		adminSub.Handle("/realms", adminController.HandleIndex()).Methods("GET")
+		adminSub.Handle("/realms/create", adminController.HandleCreateRealm()).Methods("GET")
+		adminSub.Handle("/realms/create", adminController.HandleCreateRealm()).Methods("POST")
+	}
+
 	// Wrap the main router in the mutating middleware method. This cannot be
 	// inserted as middleware because gorilla processes the method before
 	// middleware.

@@ -0,0 +1,46 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package admin contains controllers for system wide administrative actions.
+package admin
+
+import (
+	"context"
+
+	"github.com/google/exposure-notifications-verification-server/pkg/config"
+	"github.com/google/exposure-notifications-verification-server/pkg/database"
+	"github.com/google/exposure-notifications-verification-server/pkg/render"
+
+	"github.com/google/exposure-notifications-server/pkg/logging"
+
+	"go.uber.org/zap"
+)
+
+type Controller struct {
+	config *config.ServerConfig
+	db     *database.Database
+	h      *render.Renderer
+	logger *zap.SugaredLogger
+}
+
+func New(ctx context.Context, config *config.ServerConfig, db *database.Database, h *render.Renderer) *Controller {
+	logger := logging.FromContext(ctx).Named("admin")
+
+	return &Controller{
+		config: config,
+		db:     db,
+		h:      h,
+		logger: logger,
+	}
+}
@@ -0,0 +1,111 @@
+// Copyright 2020 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package admin
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+
+	"github.com/google/exposure-notifications-verification-server/pkg/controller"
+	"github.com/google/exposure-notifications-verification-server/pkg/database"
+)
+
+func (c *Controller) HandleCreateRealm() http.Handler {
+	type FormData struct {
+		Name                   string `form:"name"`
+		RegionCode             string `form:"regionCode"`
+		UseRealmCertificateKey bool   `form:"useRealmCertificateKey"`
+		CertificateIssuer      string `form:"certificateIssuer"`
+		CertificateAudience    string `form:"certificateAudiance"`
+	}
+
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctx := r.Context()
+
+		session := controller.SessionFromContext(ctx)
+		if session == nil {
+			controller.MissingSession(w, r, c.h)
+			return
+		}
+
+		user := controller.UserFromContext(ctx)
+		if user == nil {
+			controller.MissingUser(w, r, c.h)
+			return
+		}
+
+		flash := controller.Flash(session)
+
+		// Requested form, stop processing.
+		if r.Method == http.MethodGet {
+			var realm database.Realm
+			realm.UseRealmCertificateKey = true
+			c.renderNew(ctx, w, &realm)
+			return
+		}
+
+		var form FormData
+		if err := controller.BindForm(w, r, &form); err != nil {
+			var realm database.Realm
+			realm.UseRealmCertificateKey = true
+			flash.Error("Failed to process form: %v", err)
+			c.renderNew(ctx, w, &realm)
+			return
+		}
+
+		realm := database.NewRealmWithDefaults(form.Name)
+		realm.RegionCode = form.RegionCode
+		realm.UseRealmCertificateKey = form.UseRealmCertificateKey
+		realm.CertificateIssuer = form.CertificateIssuer
+		realm.CertificateAudience = form.CertificateAudience
+		if err := c.db.SaveRealm(realm); err != nil {
+			flash.Error("Failed to create realm: %v", err)
+			c.renderNew(ctx, w, realm)
+			return
+		}
+		flash.Alert("Created realm: %q.", realm.Name)
+
+		user.Realms = append(user.Realms, realm)
+		user.AdminRealms = append(user.AdminRealms, realm)
+		if err := c.db.SaveUser(user); err != nil {
+			flash.Error("Failed to add you as an admin to the realm: %v", err)
+			c.renderNew(ctx, w, realm)
+			return
+		}
+		flash.Alert("Added you as a user and admin to the realm.")
+
+		if realm.UseRealmCertificateKey {
+			// If we are using realm specific keys - we need to create the first one.
+			keyID, err := realm.CreateSigningKeyVersion(ctx, c.db)
+			if err != nil {
+				flash.Error("Failed to create signing keys for realm. This can be done from the realm's admin screens.")
+				http.Redirect(w, r, "/admin/realms", http.StatusSeeOther)
+				return
+			}
+			flash.Alert("Created initial signing key for realm, id: %q", keyID)
+		}
+
+		http.Redirect(w, r, "/admin/realms", http.StatusSeeOther)
+	})
+}
+
+func (c *Controller) renderNew(ctx context.Context, w http.ResponseWriter, realm *database.Realm) {
+	m := controller.TemplateMapFromContext(ctx)
+	fmt.Printf("errors %+v", realm.Errors())
+	m["realm"] = realm
+	m["supportsPerRealmSigning"] = c.db.SupportsPerRealmSigning()
+	c.h.RenderHTML(w, "admin/newrealm", m)
+}