WebClient: allow to set TLS certificates

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>

internal/dataprovider/dataprovider.go

@@ -3037,27 +3037,31 @@ func validateFilterProtocols(filters *sdk.BaseUserFilters) error {
 	return nil
 }
 
-func validateTLSCerts(certs []string) error {
+func validateTLSCerts(certs []string) ([]string, error) {
+	var validateCerts []string
 	for idx, cert := range certs {
+		if cert == "" {
+			continue
+		}
 		derBlock, _ := pem.Decode([]byte(cert))
 		if derBlock == nil {
-			return util.NewI18nError(
+			return nil, util.NewI18nError(
 				util.NewValidationError(fmt.Sprintf("invalid TLS certificate %d", idx)),
 				util.I18nErrorInvalidTLSCert,
 			)
 		}
-		cert, err := x509.ParseCertificate(derBlock.Bytes)
+		crt, err := x509.ParseCertificate(derBlock.Bytes)
 		if err != nil {
-			return util.NewI18nError(
+			return nil, util.NewI18nError(
 				util.NewValidationError(fmt.Sprintf("error parsing TLS certificate %d", idx)),
 				util.I18nErrorInvalidTLSCert,
 			)
 		}
-		if cert.PublicKeyAlgorithm == x509.RSA {
-			if rsaCert, ok := cert.PublicKey.(*rsa.PublicKey); ok {
+		if crt.PublicKeyAlgorithm == x509.RSA {
+			if rsaCert, ok := crt.PublicKey.(*rsa.PublicKey); ok {
 				if size := rsaCert.N.BitLen(); size < 2048 {
 					providerLog(logger.LevelError, "rsa cert with size %d not accepted, minimum 2048", size)
-					return util.NewI18nError(
+					return nil, util.NewI18nError(
 						util.NewValidationError(fmt.Sprintf("invalid size %d for rsa cert at position %d, minimum 2048",
 							size, idx)),
 						util.I18nErrorKeySizeInvalid,
@@ -3065,8 +3069,9 @@ func validateTLSCerts(certs []string) error {
 				}
 			}
 		}
+		validateCerts = append(validateCerts, cert)
 	}
-	return nil
+	return validateCerts, nil
 }
 
 func validateBaseFilters(filters *sdk.BaseUserFilters) error {
@@ -3093,9 +3098,11 @@ func validateBaseFilters(filters *sdk.BaseUserFilters) error {
 			return util.NewValidationError(fmt.Sprintf("invalid TLS username: %q", filters.TLSUsername))
 		}
 	}
-	if err := validateTLSCerts(filters.TLSCerts); err != nil {
+	certs, err := validateTLSCerts(filters.TLSCerts)
+	if err != nil {
 		return err
 	}
+	filters.TLSCerts = certs
 	for _, opts := range filters.WebClient {
 		if !util.Contains(sdk.WebClientOptions, opts) {
 			return util.NewValidationError(fmt.Sprintf("invalid web client options %q", opts))

internal/dataprovider/user.go

@@ -1097,11 +1097,23 @@ func (u *User) CanChangeInfo() bool {
 }
 
 // CanManagePublicKeys returns true if this user is allowed to manage public keys
-// from the web client. Used in web client UI
+// from the WebClient. Used in WebClient UI
 func (u *User) CanManagePublicKeys() bool {
 	return !util.Contains(u.Filters.WebClient, sdk.WebClientPubKeyChangeDisabled)
 }
 
+// CanManageTLSCerts returns true if this user is allowed to manage TLS certificates
+// from the WebClient. Used in WebClient UI
+func (u *User) CanManageTLSCerts() bool {
+	return !util.Contains(u.Filters.WebClient, sdk.WebClientTLSCertChangeDisabled)
+}
+
+// CanUpdateProfile returns true if the user is allowed to update the profile.
+// Used in WebClient UI
+func (u *User) CanUpdateProfile() bool {
+	return u.CanManagePublicKeys() || u.CanChangeAPIKeyAuth() || u.CanChangeInfo() || u.CanManageTLSCerts()
+}
+
 // CanAddFilesFromWeb returns true if the client can add files from the web UI.
 // The specified target is the directory where the files must be uploaded
 func (u *User) CanAddFilesFromWeb(target string) bool {