2022-03-08 20:28:09 +00:00
|
|
|
// Copyright 2021-2022 the Pinniped contributors. All Rights Reserved.
|
2021-06-30 16:50:01 +00:00
|
|
|
// SPDX-License-Identifier: Apache-2.0
|
|
|
|
|
|
|
|
// Package formposthtml defines HTML templates used by the Supervisor.
|
|
|
|
package formposthtml
|
|
|
|
|
|
|
|
import (
|
|
|
|
_ "embed" // Needed to trigger //go:embed directives below.
|
|
|
|
"html/template"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
"github.com/tdewolff/minify/v2/minify"
|
2022-05-05 20:12:06 +00:00
|
|
|
|
|
|
|
"go.pinniped.dev/internal/oidc/provider/csp"
|
2021-06-30 16:50:01 +00:00
|
|
|
)
|
|
|
|
|
2022-08-24 21:45:55 +00:00
|
|
|
//nolint:gochecknoglobals // This package uses globals to ensure that all parsing and minifying happens at init.
|
2021-06-30 16:50:01 +00:00
|
|
|
var (
|
|
|
|
//go:embed form_post.css
|
|
|
|
rawCSS string
|
2022-05-19 23:02:08 +00:00
|
|
|
minifiedCSS = panicOnError(minify.CSS(rawCSS))
|
2021-06-30 16:50:01 +00:00
|
|
|
|
|
|
|
//go:embed form_post.js
|
|
|
|
rawJS string
|
2022-05-19 23:02:08 +00:00
|
|
|
minifiedJS = panicOnError(minify.JS(rawJS))
|
2021-06-30 16:50:01 +00:00
|
|
|
|
|
|
|
//go:embed form_post.gohtml
|
|
|
|
rawHTMLTemplate string
|
|
|
|
|
2022-08-24 21:45:55 +00:00
|
|
|
// Parse the Go templated HTML and inject functions providing the minified inline CSS and JS.
|
|
|
|
parsedHTMLTemplate = template.Must(template.New("form_post.gohtml").Funcs(template.FuncMap{
|
|
|
|
"minifiedCSS": func() template.CSS { return template.CSS(minifiedCSS) },
|
|
|
|
"minifiedJS": func() template.JS { return template.JS(minifiedJS) }, //nolint:gosec // This is 100% static input, not attacker-controlled.
|
|
|
|
}).Parse(rawHTMLTemplate))
|
|
|
|
|
|
|
|
// Generate the CSP header value once since it's effectively constant.
|
|
|
|
cspValue = strings.Join([]string{
|
|
|
|
`default-src 'none'`,
|
|
|
|
`script-src '` + csp.Hash(minifiedJS) + `'`,
|
|
|
|
`style-src '` + csp.Hash(minifiedCSS) + `'`,
|
|
|
|
`img-src data:`,
|
|
|
|
`connect-src *`,
|
|
|
|
`frame-ancestors 'none'`,
|
|
|
|
}, "; ")
|
|
|
|
)
|
2021-06-30 16:50:01 +00:00
|
|
|
|
2022-05-19 23:02:08 +00:00
|
|
|
func panicOnError(s string, err error) string {
|
2021-06-30 16:50:01 +00:00
|
|
|
if err != nil {
|
|
|
|
panic(err)
|
|
|
|
}
|
|
|
|
return s
|
|
|
|
}
|
|
|
|
|
|
|
|
// ContentSecurityPolicy returns the Content-Security-Policy header value to make the Template() operate correctly.
|
|
|
|
//
|
2022-05-05 20:12:06 +00:00
|
|
|
// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy.
|
2021-06-30 16:50:01 +00:00
|
|
|
func ContentSecurityPolicy() string { return cspValue }
|
|
|
|
|
|
|
|
// Template returns the html/template.Template for rendering the response_type=form_post response page.
|
|
|
|
func Template() *template.Template { return parsedHTMLTemplate }
|