package main import ( "crypto" "crypto/rand" "encoding/base64" "fmt" "io" "log" "net/http" "os" "path" "strings" "text/template" "time" "github.com/gorilla/mux" "git.teamworkapps.com/shortcut/forms" "github.com/knadh/go-pop3" ) // We use my forms package to create a password change form which on success executes a docker call to change the password type tplData struct { Time int64 Body string } func mwLog(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { log.Printf("%s %s", r.RemoteAddr, r.URL.String()) next.ServeHTTP(w, r) }) } func main() { forms.GlobalStyles.ContainerClasses = "w-full bg-gray-100 justify-center py-6 rounded-lg shadow flex" forms.GlobalStyles.ItemClasses = "w-full px-1 py-2" forms.GlobalStyles.ErrorClasses = "text-red-600 text-right font-bold text-xl" forms.GlobalStyles.LabelClasses = "block text-sm font-medium leading-6 text-gray-900" forms.GlobalStyles.InputClasses = "block w-full rounded-md border-0 py-1.5 text-gray-900 shadow-sm ring-1 ring-inset ring-gray-300 placeholder:text-gray-400 focus:ring-2 focus:ring-inset focus:ring-indigo-600 sm:text-sm sm:leading-6" f := forms.NewForm() e := forms.NewElement() e.Label = "Email Address" e.Type = "text" e.Validator = "email" e.FailMessage = "Must be a valid email address" e.Name = "email" f.Add(e) e = forms.NewElement() e.Label = "Old Password" e.Type = "password" e.Validator = "" e.FailMessage = "Passsword Incorrect" e.Name = "oldpassword" f.Add(e) e = forms.NewElement() e.Label = "New Password" e.Type = "password" e.FailMessage = "Password must be at least 8 characters long and contain at least one uppercase letter, one lowercase letter and one digit" e.Validator = "minlength=8;haslowercase;hasuppercase;hasdigit" e.Name = "newpassword" f.Add(e) e = forms.NewElement() e.Label = "Confirm Password" e.Type = "password" e.FailMessage = "Passwords do not match" e.Validator = "mustmatch=newpassword" e.Name = "confirmpassword" f.Add(e) e = forms.NewElement() e.Label = "Change Password" e.Type = "submit" e.InputClasses = "flex w-full justify-center rounded-md bg-indigo-600 px-3 py-1.5 text-sm font-semibold leading-6 text-white shadow-sm hover:bg-indigo-500 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-indigo-600" f.Add(e) f.Route = "/chpass/changepassword" out, err := f.ToJSON() if err == nil { os.WriteFile("form.json", out, 0644) } tmpFile := "template.html" tmpl, err := template.New(path.Base(tmpFile)).ParseFiles(tmpFile) if err != nil { log.Fatal(err) } var d tplData r := mux.NewRouter() r.Use(mwLog) r.HandleFunc("/style.css", http.FileServer(http.Dir("./")).ServeHTTP) r.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { d.Body = f.Render(false) tmpl.Execute(w, d) }) r.HandleFunc("/changepassword", func(w http.ResponseWriter, r *http.Request) { if f.Validate(r) != nil { d.Body = f.Render(true) tmpl.Execute(w, d) return } // Test if the given username ans password can authenticate via pop3 // If so, change the password p := pop3.New(pop3.Opt{Host: "teamworkapps.com", Port: 995, TLSEnabled: true}) c, err := p.NewConn() if err != nil { log.Println(err) d.Body = "Internal error" tmpl.Execute(w, d) return } defer c.Quit() // Authenticate. if err := c.Auth(f.GetValue("email"), f.GetValue("oldpassword")); err != nil { f.MakeInvalid("oldpassword", "Invalid password") d.Body = f.Render(true) tmpl.Execute(w, d) return } // Change the password if !modifyPasswordFile(f.GetValue("email"), f.GetValue("newpassword")) { log.Println(err) d.Body = "Internal error" tmpl.Execute(w, d) return } d.Body = "Password changed. You will need to login again." tmpl.Execute(w, d) }) d.Time = time.Now().Unix() d.Body = f.Render(true) tmpl.Execute(os.Stdout, d) http.ListenAndServe("127.0.0.1:8910", r) } /* example password entry: recreation@pinnaclelake.com|{SHA512-CRYPT}$6$uTiy7Q5xn1CIN22w$3VAElns3TFfejtdTCTJMcz8k2UPPwAmlUIoXC4NgPJRnDcgo3CnI91EsB6irgwuecCrolxAx7i4mjvTxPaAlf0 */ // createPasswordEntry: input email and plain text password, output a password entry with sha512-crypt. func modifyPasswordFile(email, password string) bool { // read the password file // find the entry with the given email // replace the password with the new password // write the file back in, err := os.ReadFile("/root/docker/mail/config/postfix-accounts.cf") if err != nil { log.Println(err) return false } out, err := os.Create("/root/docker/mail/config/postfix-accounts.cf.tmp") if err != nil { log.Println(err) return false } lines := strings.Split(string(in), "\n") for _, line := range lines { if strings.HasPrefix(line, email) { line = createPasswordEntry(email, password) } out.WriteString(line) out.WriteString("\n") } out.Close() os.Rename("/root/docker/mail/config/postfix-accounts.cf", "/root/docker/mail/config/postfix-accounts.cf.old") os.Rename("/root/docker/mail/config/postfix-accounts.cf.tmp", "/root/docker/mail/config/postfix-accounts.cf") return true } func createPasswordEntry(email, password string) string { c := crypto.SHA512.New() c.Write([]byte(password)) // hash := c.Sum(nil) salt := base64.StdEncoding.EncodeToString(getSalt()) str := base64.StdEncoding.EncodeToString([]byte(string(c.Sum(nil)) + string(salt))) return fmt.Sprintf("%s|{SHA512-CRYPT}$6$%s$%s", email, salt, str) } func getSalt() []byte { salt := make([]byte, 10) _, err := io.ReadFull(rand.Reader, salt) if err != nil { log.Fatal(err) } return salt }