12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524 |
- // Copyright (C) 2019-2023 Nicola Murino
- //
- // This program is free software: you can redistribute it and/or modify
- // it under the terms of the GNU Affero General Public License as published
- // by the Free Software Foundation, version 3.
- //
- // This program is distributed in the hope that it will be useful,
- // but WITHOUT ANY WARRANTY; without even the implied warranty of
- // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- // GNU Affero General Public License for more details.
- //
- // You should have received a copy of the GNU Affero General Public License
- // along with this program. If not, see <https://www.gnu.org/licenses/>.
- package httpd
- import (
- "bytes"
- "context"
- "crypto/tls"
- "crypto/x509"
- "database/sql"
- "encoding/json"
- "errors"
- "fmt"
- "html/template"
- "io"
- "net/http"
- "net/http/httptest"
- "net/url"
- "os"
- "path"
- "path/filepath"
- "runtime"
- "strings"
- "testing"
- "time"
- "github.com/go-chi/chi/v5"
- "github.com/go-chi/chi/v5/middleware"
- "github.com/go-chi/jwtauth/v5"
- "github.com/klauspost/compress/zip"
- "github.com/lestrrat-go/jwx/v2/jwa"
- "github.com/lestrrat-go/jwx/v2/jwt"
- "github.com/rs/xid"
- "github.com/sftpgo/sdk"
- sdkkms "github.com/sftpgo/sdk/kms"
- "github.com/sftpgo/sdk/plugin/notifier"
- "github.com/stretchr/testify/assert"
- "github.com/stretchr/testify/require"
- "github.com/drakkan/sftpgo/v2/internal/acme"
- "github.com/drakkan/sftpgo/v2/internal/common"
- "github.com/drakkan/sftpgo/v2/internal/dataprovider"
- "github.com/drakkan/sftpgo/v2/internal/kms"
- "github.com/drakkan/sftpgo/v2/internal/plugin"
- "github.com/drakkan/sftpgo/v2/internal/util"
- "github.com/drakkan/sftpgo/v2/internal/vfs"
- )
- const (
- httpdCert = `-----BEGIN CERTIFICATE-----
- MIICHTCCAaKgAwIBAgIUHnqw7QnB1Bj9oUsNpdb+ZkFPOxMwCgYIKoZIzj0EAwIw
- RTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
- dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDAyMDQwOTUzMDRaFw0zMDAyMDEw
- OTUzMDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD
- VQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwdjAQBgcqhkjOPQIBBgUrgQQA
- IgNiAARCjRMqJ85rzMC998X5z761nJ+xL3bkmGVqWvrJ51t5OxV0v25NsOgR82CA
- NXUgvhVYs7vNFN+jxtb2aj6Xg+/2G/BNxkaFspIVCzgWkxiz7XE4lgUwX44FCXZM
- 3+JeUbKjUzBRMB0GA1UdDgQWBBRhLw+/o3+Z02MI/d4tmaMui9W16jAfBgNVHSME
- GDAWgBRhLw+/o3+Z02MI/d4tmaMui9W16jAPBgNVHRMBAf8EBTADAQH/MAoGCCqG
- SM49BAMCA2kAMGYCMQDqLt2lm8mE+tGgtjDmtFgdOcI72HSbRQ74D5rYTzgST1rY
- /8wTi5xl8TiFUyLMUsICMQC5ViVxdXbhuG7gX6yEqSkMKZICHpO8hqFwOD/uaFVI
- dV4vKmHUzwK/eIx+8Ay3neE=
- -----END CERTIFICATE-----`
- httpdKey = `-----BEGIN EC PARAMETERS-----
- BgUrgQQAIg==
- -----END EC PARAMETERS-----
- -----BEGIN EC PRIVATE KEY-----
- MIGkAgEBBDCfMNsN6miEE3rVyUPwElfiJSWaR5huPCzUenZOfJT04GAcQdWvEju3
- UM2lmBLIXpGgBwYFK4EEACKhZANiAARCjRMqJ85rzMC998X5z761nJ+xL3bkmGVq
- WvrJ51t5OxV0v25NsOgR82CANXUgvhVYs7vNFN+jxtb2aj6Xg+/2G/BNxkaFspIV
- CzgWkxiz7XE4lgUwX44FCXZM3+JeUbI=
- -----END EC PRIVATE KEY-----`
- caCRT = `-----BEGIN CERTIFICATE-----
- MIIE5jCCAs6gAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDZXJ0
- QXV0aDAeFw0yMzAxMDMxMDIwNDdaFw0zMzAxMDMxMDMwNDZaMBMxETAPBgNVBAMT
- CENlcnRBdXRoMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxq6Wl1Ih
- hgvGdM8M2IVI7dwnv3yShJygZsnREQSEW0xeWJL5DtNeHCME5WByFUAlZKpePtW8
- TNwln9DYDtgNSMiWwvO/wR0mXsyU8Ma4ZBMlX0oOkWo1Ff/M/u8YY9X78Vvwdt62
- Yt7QmU5oUUW2HdAgh4AlhKJSjm3t0uDP5s54uvueL5bjChHwEb1ZGOtST9Zt86cj
- YA/xtVHnDXCJbhohpzQI6dK96NegONZVDaxEohVCyYYOgI1I14Bxu0ZCMm5GjwoO
- QohnUfEJ+BRgZqFpbsnYCE+PoVayVVFoLA+GMeqbQ2SHej1Pr1K0dbjUz6SAk8/+
- DL7h8d+YAtflATsMtdsVJ4WzEfvZbSbiYKYmlVC6zk6ooXWadvQ5+aezVes9WMpH
- YnAoScuKoeerRuKlsSU7u+XCmy/i7Hii5FwMrSvIL2GLtVE+tJFCTABA55OWZikt
- ULMQfg3P2Hk3GFIE35M10mSjKQkGhz06WC5UQ7f2Xl9GzO6PqRSorzugewgMK6L4
- SnN7XBFnUHHqx1bWNkUG8NPYB6Zs7UDHygemTWxqqxun43s501DNTSunCKIhwFbt
- 1ol5gOvYAFG+BXxnggBT815Mgz1Zht3S9CuprAgz0grNEwAYjRTm1PSaX3t8I1kv
- oUUuMF6BzWLHJ66uZKOCsPs3ouGq+G3GfWUCAwEAAaNFMEMwDgYDVR0PAQH/BAQD
- AgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFCj8lmcR7loB9zAP/feo
- t1eIHWmIMA0GCSqGSIb3DQEBCwUAA4ICAQCu46fF0Tr2tZz1wkYt2Ty3OU77jcG9
- zYU/7uxPqPC8OYIzQJrumXKLOkTYJXJ7k+7RQdsn/nbxdH1PbslNDD3Eid/sZsF/
- dFdGR1ZYwXVQbpYwEd19CvJTALn9CyAZpMS8J2RJrmdScAeSSb0+nAGTYP7GvPm+
- 8ktOnrz3w8FtzTw+seuCW/DI/5UpfC9Jf+i/3XgxDozXWNW6YNOIw/CicyaqbBTk
- 5WFcJ0WJN+8qQurw8n+sOvQcNsuDTO7K3Tqu0wGTDUQKou7kiMX0UISRvd8roNOl
- zvvokNQe4VgCGQA+Y2SxvSxVG1BaymYeNw/0Yxm7QiKSUI400V1iKIcpnIvIedJR
- j2bGIlslVSV/P6zkRuF1srRVxTxSf1imEfs8J8mMhHB6DkOsP4Y93z5s6JZ0sPiM
- eOb0CVKul/e1R0Kq23AdPf5eUv63RhfmokN1OsdarRKMFyHphWMxqGJXsSvRP+dl
- 3DaKeTDx/91OSWiMc+glHHKKJveMYQLeJ7GXmcxhuoBm6o4Coowgw8NFKMCtAsp0
- ktvsQuhB3uFUterw/2ONsOChx7Ybu36Zk47TKBpktfxDQ578TVoZ7xWSAFqCPHvx
- A5VSwAg7tdBvORfqQjhiJRnhwr50RaNQABTLS0l5Vsn2mitApPs7iKiIts2ieWsU
- EsdgvPZR2e5IkA==
- -----END CERTIFICATE-----`
- caKey = `-----BEGIN RSA PRIVATE KEY-----
- MIIJJwIBAAKCAgEAxq6Wl1IhhgvGdM8M2IVI7dwnv3yShJygZsnREQSEW0xeWJL5
- DtNeHCME5WByFUAlZKpePtW8TNwln9DYDtgNSMiWwvO/wR0mXsyU8Ma4ZBMlX0oO
- kWo1Ff/M/u8YY9X78Vvwdt62Yt7QmU5oUUW2HdAgh4AlhKJSjm3t0uDP5s54uvue
- L5bjChHwEb1ZGOtST9Zt86cjYA/xtVHnDXCJbhohpzQI6dK96NegONZVDaxEohVC
- yYYOgI1I14Bxu0ZCMm5GjwoOQohnUfEJ+BRgZqFpbsnYCE+PoVayVVFoLA+GMeqb
- Q2SHej1Pr1K0dbjUz6SAk8/+DL7h8d+YAtflATsMtdsVJ4WzEfvZbSbiYKYmlVC6
- zk6ooXWadvQ5+aezVes9WMpHYnAoScuKoeerRuKlsSU7u+XCmy/i7Hii5FwMrSvI
- L2GLtVE+tJFCTABA55OWZiktULMQfg3P2Hk3GFIE35M10mSjKQkGhz06WC5UQ7f2
- Xl9GzO6PqRSorzugewgMK6L4SnN7XBFnUHHqx1bWNkUG8NPYB6Zs7UDHygemTWxq
- qxun43s501DNTSunCKIhwFbt1ol5gOvYAFG+BXxnggBT815Mgz1Zht3S9CuprAgz
- 0grNEwAYjRTm1PSaX3t8I1kvoUUuMF6BzWLHJ66uZKOCsPs3ouGq+G3GfWUCAwEA
- AQKCAgB1dNFiNBPNgziX5a/acTFkLTryYVrdOxs4qScHwHve3Y8JHhpPQXXpfGpw
- kEvhdEKm+HEvBHyFk8BKctTIMcHovW0jY6aBLBJ7CMckcNahkxAM/WMPZJJtpwQx
- 0nfAzchcL9ZA7/kzCjaX61qQcX3wshIJCSElADF+Mk7e1DkUYgvNvuMNj045rdEX
- K7F4oeXPfR0TZkPrjoF+iCToNReKF7i9eG2sjgHnnVIDR/KQWr9YculA6he4t83Q
- WQbjh+2qkrbz6SX0/17VeoJCPwmeot4JuRoWD7MB1pcnCTFkmujiqaeQd+X/xi9N
- nr9AuTxWZRH+UIAIWPCKZX0gcTHYNJ7Qj/bwIOx6xIISrH4unvKtJOI71NBBognY
- wBlDbz5gST1GKdZHsvqsi2sfFF7HAxiUzLHTofsYr0joNgHTJcXlJrtDrjbEt9mm
- 8f1tVc+ooQYb3u2BJlrIn3anUytVXEjYRje1bBYRaE1uuVG5QdHInc6V7rV3LfvX
- IByObtklvCLgCxZm6QUGedb16KV+Prt1W0Yvk6kMOldhG2uBRrt2vC8QxgNzRs90
- LIwBhv1hg++EU9RIaXN6we9ZiPs164VD1h6f8UeShAFtQN9eByqRaYmJzDDNh8Py
- CK/mR4mlyjdAArm42HpsPM0DeCpgjCQnsQFCihXe9++OT8enAQKCAQEAzbFWCmL0
- JsvsQopeO9H7NrQIZRql1bfPOcjvDBtYZgjR91q84zEcUUmEjVMtD/oPSk4HdjEK
- ljmGAjOvIFpdgk0YAtA4+kP+zvEoaKLfKGLNXdeNdYPJBvHMcbLrOknFJZ7PVoJA
- 5hQHMazX+JzaeCB2PTcGWUSnu4Lw4eTho/dmdlwsGS7HjTPw7LZnQfrJ57NHVX6n
- ZtwfjgxBmyE+rImpPPytuKGAgbH9qhrUqCNh6MQ6ZcqN4aHAI8j72IW8rwSPkYZ3
- mRpLtrvKKKcAp3YWh75WAtG0aqVQ876wpcM7Nxa+0TM9UzbF+xtoyz1/BCp3hrCA
- 0g6D40YRiPf+OQKCAQEA90ZNRP2vEEUbkXkxZGyrOq9P7FEgwt1Tg3kvCVrralst
- Db/v2ZQR8IyhJwNtBczXKpuxrv978zKjrDhqBMBaL8wXUrmf98has14ZvvrgiCzE
- oBuVRbRrJ8ksY2YyzBkW3OjO9iI7knbVT50xasbqhtHj5Q3DWMOt0bcAAjcZlRK3
- gD1e25/YOBR3C1XVylGGDH0jU/7VHzkedy8rwr7vPwMS7crU6l74mxre7ZS5Mb9T
- nqoP/VgrHzoz+uVXTXk0FvJBENrDm340RxsBrK7/ePA8ngp5ZzfUZ47eYOSYBZPD
- WYG1+Z99/ZLzZ/AJvp2HiGPDG5lXJjKg/Y7iWis4jQKCAQBaE7r2OXdqNgt06Ft0
- HvTAc/7pJ85P1Xrud0wYJTGFHX+1rwrhA3S/NE7UBQTK5lsj0x/5ZmiYeQBynmem
- 52vj0BcfxEfvcS95OKrVh93qNbpxyh+swtWaMPGzKQNSN1QasX1jCQ+aslKkMmkx
- +p7B1JVzIVGqbiJ2P1V112HpCELaumqlbJL/BywOvaJiho085onqqthsdyFqd3uT
- j+9+Z5qxloYNQMyh/2xyveU67KPH54cbZKTVlpwqD64amBaVHo4w0I43ggh+MabK
- PrhOnawoLfZErckwmszksTFyphice119B89nTalN2ib+OiQRkvddCJahZrHjKaAs
- N04hAoIBACwKAUkARWWIaViHVRylnfldr8ZOzJ7n/C+2LYJlBvhyNJv2SyldDbTh
- 1vGz0n7t9IRKJmMcbV7q7euGQJuIBofsuVqqZKskq8K2R6+Tztlx37MENpmrgEod
- siIh2XowHbpKXFHJ1wJG18bOIDb8JljMmOH6iYgNka+AAChk19GM+9GDHJnQ5hlW
- y7zhFKpryov+3YPgJuTgr2RaqliM2N9IFN70+Oak83HsXzfA/Rq3EJV5hE+CnGt7
- WjadEediZryPeLcfvya6W2UukiXHJQjNAH7FLsoLT3ECKOjozYpwvqH6UAadOTso
- KOGiBppERBcubVlE/hh3e+SsxfN5LyECggEATftYF8rp47q8LKCJ/QHk1U+MZoeU
- hkMuov2/Du4Cj3NsAq/GmdU2nuPGHUoHZ90rpfbOdsg4+lYx3aHSfVwk46xy6eE3
- LsC30W9NUEc14pveuEfkXWwIhmkwmA8n53wpjWf1nnosXa6UCHj6ycoRuwkH1QN1
- muQumpvL1gR8BV4H0vnhd0bCFHH4wyPKy0yTaXXsUE5NBCRbyOqehSLMOjCSgKUK
- 5oDwxh7pnJf1cchKpG0ODJR60vukdjcfqU9UN/SMvpYLnBiozM3QrxwHKROsnZzm
- Q0gSWphVd9QaWWD3wtHYPV3RkE5F4H+mKjVcnkES3aQnow7b/FSnhdJ4dw==
- -----END RSA PRIVATE KEY-----`
- caCRL = `-----BEGIN X509 CRL-----
- MIICpjCBjwIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDZXJ0QXV0aBcN
- MjMwMTAzMTAzMzI4WhcNMjUwMTAyMTAzMzI4WjAjMCECEHUfHtKUGlg/86yMN/aM
- xxsXDTIzMDEwMzEwMzMyOFqgIzAhMB8GA1UdIwQYMBaAFCj8lmcR7loB9zAP/feo
- t1eIHWmIMA0GCSqGSIb3DQEBCwUAA4ICAQAJf6MBMUc3xWKB6fy0VoPbXQjVTsL4
- Yjm5lKaCtvcRiJ6onaITfJL6V3OCy/MAe94sHynvK3DyyYvxJ0ms7y+kmEtFzHwz
- T+hBPHaEV/Ccamt+3zRZwndwEMomkQz5tBipwimOlsYXWqItjhXHcLLr84jWgqpD
- JHcfDmLswCeJVqe8xyYSYCnWMjQ3sn0h+arjm53SdHTULlsjgKeX/ao2IJwt1Ddr
- APYKZ/XBWq9vBq3l4l2Ufj16fUBY5NeHTjQcLLrkwmBwpSb0YS8+jBwmOwo1HwEF
- MEwADBTHI2jT4ygzzKefVETfcSk4CuIQ1ve0qQL7KY5Fg5AXwbRycev6R0vEHR82
- oOPAqg+dYgKtdkxK5QZrNLenloq6x0/3oEThwOg3J17+eCYjixBC+3PoUzLa+yfZ
- xSQ/kkcRJExEhadw5I9TI7sEUk1RjDCl6AtHg53LQifokiLLfMRptOiN3a4NlLJ2
- HNXfWUltRUnr6MCxk+G7U5Zaj1QtCN3Aldw+3xcJr7FOBU23VqRT22XbfW+B1gsr
- 4eNlw5Kk/PDF/WZeGbrwy7fvpSoFsDYI8lpVlzKVwLampIZVhnWsfaf7jk/pc4T0
- 6iZ+rnB6CP4P+LM34jKYiAtz+iufjEB6Ko0jN0ZWCznDGDVgMwnVynGJNKU+4bl8
- vC4nIbS2OhclcA==
- -----END X509 CRL-----`
- client1Crt = `-----BEGIN CERTIFICATE-----
- MIIEIDCCAgigAwIBAgIQWwKNgBzKWM8ewyS4K78uOTANBgkqhkiG9w0BAQsFADAT
- MREwDwYDVQQDEwhDZXJ0QXV0aDAeFw0yMzAxMDMxMDIzMTFaFw0zMzAxMDMxMDMw
- NDVaMBIxEDAOBgNVBAMTB2NsaWVudDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
- ggEKAoIBAQC+jwuaG0FSpPtE5mZPBgdacAhXXa51/TIT18HTm+QnOYUcGRel3AuZ
- OBWv3fOallW8iQX3i+M78cKeTMWOS5RGXCdDe866pYXEyUkZFRRSA/6573Dz5dJ/
- DZOCsgW+91JlSkM1+FYE9cpt4qLkdAjSRXIoebcA64K60wqZr1Js+pQrH3leT9wu
- 33dM3KHkDHOeMj6X/V1me22htndD/DUlWmPc58jMFbcvxFG3oUBB9U65LJBwJNzr
- XWVcli2QirZ0fLkC7Lo2FIYuN1qeU/8A/T4TTInZb/eW3Faqv4RuhjWPXFLqkdIP
- 4AzDxCNuhlWqyv9nfgegXAHOHpXZMDKxAgMBAAGjcTBvMA4GA1UdDwEB/wQEAwID
- uDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFKloKnzI
- w7YYnjm1sKU+LgvT5dU0MB8GA1UdIwQYMBaAFCj8lmcR7loB9zAP/feot1eIHWmI
- MA0GCSqGSIb3DQEBCwUAA4ICAQAeja0rK7I14ibgis9vSPXAGmmKpagIjvZiYCE6
- Ti/Rq6qbyQ6tKL08NxR2XPNjoXfxwGOGgboWR86S7WT93pz3HkftAjTfzUnxnXOx
- S7dWfq+g0uY/3ql6IFDQBpGKHu/KN8/1Pvn39FiYSdCaM66bwyFukcvBXace+aC1
- M6jzVsscxoCCjXhcZl++Tjpf6TzGMd8OFyArBQmOUCoFrTcMzLPKSAROAHp0k+Ju
- HHNgLdgXPQCfAgRbWnqq2o2moApe7+gzMS+1X0eKhIXYS7csK8rFvGzjH/ANDo9A
- 8+AFcJh8YiIlEVI8nCb3ERdpAbu6G5xkfUDkqcWjCAhuokrbeFmU82RQOc3TQZc9
- NMHfTkCOPhaIdPI/kC+fZkdz+5ftDCl/radSljeMX+/y0DVQUOtrQzyT1PBN0vCx
- L+FCzj0fHJwdoDiFLxDLLN1pYWsxMnIichpg625CZM9r5i183yPErXxxQPydcDrX
- Y6Ps7rGiU7eGILhAfQnS1XUDvH0gNfLUvO5uWm6yO4yUEDWkA/wOTnrc8Z5Waza+
- kH+FmxnYpT1rMloTSoyiHIPvTq1nVJ8LILUODZAxW+ZHmccGgOpIN/DWuWunVRHG
- tuaTSgU1xjWl2q/SeoS2DpiEKTIAZZQ5CTD819oc8SnLTzK0ISRpBXKg13AF2uJD
- G9q7sA==
- -----END CERTIFICATE-----`
- client1Key = `-----BEGIN RSA PRIVATE KEY-----
- MIIEpQIBAAKCAQEAvo8LmhtBUqT7ROZmTwYHWnAIV12udf0yE9fB05vkJzmFHBkX
- pdwLmTgVr93zmpZVvIkF94vjO/HCnkzFjkuURlwnQ3vOuqWFxMlJGRUUUgP+ue9w
- 8+XSfw2TgrIFvvdSZUpDNfhWBPXKbeKi5HQI0kVyKHm3AOuCutMKma9SbPqUKx95
- Xk/cLt93TNyh5AxznjI+l/1dZnttobZ3Q/w1JVpj3OfIzBW3L8RRt6FAQfVOuSyQ
- cCTc611lXJYtkIq2dHy5Auy6NhSGLjdanlP/AP0+E0yJ2W/3ltxWqr+EboY1j1xS
- 6pHSD+AMw8QjboZVqsr/Z34HoFwBzh6V2TAysQIDAQABAoIBAFaIHnycY81jnbZr
- 6Yl4813eAeuqXs61a0gXcazl3XTyab+YpWRrx9iL3009PKG2Iri6gDspCsbtwbKg
- qhUzvOE2d53tWrLm9xelT8xUBiY4KjPEx0X51txbDeELdhCBvqjAUETxwB4Afyvm
- /pE/H8JcRrqair+gMn0j2GxxcLyLQt8/DBaqbs50QDxYbLTrfZzXi3R5iAMmtGDM
- ZuhBDJYjw/PdJnmWcCkeEFa731ZwHISvDFJtZ6kv0yU7guHzvDWOFlszFksv8HRI
- s46i1AqvdLd3M/xVDWi2f5P3IuOK80v2xrTZAbJSc9Fo/oHhO+9mWoxnGF2JE2zO
- cabYfAECgYEA/EIw0fvOLabhmsLTItq7p76Gt1kE2Rsn+KsRH+H4vE3iptHy1pks
- j/aohQ+YeZM3KtsEz12dtPfUBQoTMfCxpiHVhhpX5JLyc6OAMWhZUItQX2X0lzeY
- oPRdbEMRcfxOKjb3mY5T2h9TVUieuspE2wExYFRMaB8BT4pio86iWYUCgYEAwWKV
- pP7w1+H6bpBucSh89Iq0inIgvHpFNz0bpAFTZV+VyydMzjfkY8k6IqL5ckr2aDsY
- vk6XLClJi6I2qeQx/czIrd+xCWcSJPLTcjtKwv0T01ThNVq+ev1NBUqU03STyaJa
- p14r4dIYxpZs13s+Mdkzr7R8uv4J5Y03AP90xj0CgYEA4j0W/ezBAE6QPbWHmNXl
- wU7uEZgj8fcaBTqfVCHdbDzKDuVyzqZ3wfHtN9FB5Z9ztdrSWIxUec5e99oOVxbQ
- rPfhQbF0rIpiKfY0bZtxpvwbLEQLdmelWo1vED6iccFf9RpxO+XbLGA14+IKgeoQ
- kP5j40oXcLaF/WlWiCU1k+UCgYEAgVFcgn5dLfAWmLMKt678iEbs3hvdmkwlVwAN
- KMoeK48Uy0pXiRtFJhldP+Y96tkIF8FVFYXWf5iIbtClv0wyxeaYV/VbHM+JCZ48
- GYpevy+ff1WmWBh7giE6zQwHo7O0VES2XG+T5qmpGbtjw2DNwWXes2N9eUoB8jhR
- jOBHBX0CgYEA6Ha3IdnpYyODII1W26gEPnBoUCk1ascsztAqDwikBgMY9605jxLi
- t3L261iTtN4kTd26nPTsNaJlEnKfm7Oqg1P3zpYLmC2JoFVrOyAZVhyfLACBMV9g
- Dy1qoA4qz5jjtwPQ0bsOpfE6/oXdIZZdgyi1CmVRMNF0z3KNs1LhLLU=
- -----END RSA PRIVATE KEY-----`
- // client 2 crt is revoked
- client2Crt = `-----BEGIN CERTIFICATE-----
- MIIEIDCCAgigAwIBAgIQdR8e0pQaWD/zrIw39ozHGzANBgkqhkiG9w0BAQsFADAT
- MREwDwYDVQQDEwhDZXJ0QXV0aDAeFw0yMzAxMDMxMDIzMTRaFw0zMzAxMDMxMDMw
- NDVaMBIxEDAOBgNVBAMTB2NsaWVudDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
- ggEKAoIBAQC/UZqUxeP15lhXBmPmpS5SdI470R75fxmN14FhYwTS3FsDoT+evqRg
- II4Qo/wqbaGrk/BsbzB7ToVWqpkyZ58hYPdtLjKtBBHYsSCNCoKZEVJTz5JdW3sj
- CKRsG3zPVhFjJcYW9pKsr/CGIIDWAfkuuwR+R/NHkUFSjEP5N9qMAc9wBvskxV84
- YAJJykPD9rG8PjXHOKsfNUhH+/QfbqMkCeETJ1sp66o3ilql2aZ0m6K6x4gB7tM7
- NZnM4eztLZbAnQVQhNBYCR6i7DGI2dujujPbpCqmSqSb42n+3a2o844k6EnU76HJ
- RZwhd3ypy9CvTdkya5JbK+aKKo8fGFHbAgMBAAGjcTBvMA4GA1UdDwEB/wQEAwID
- uDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFLItEDE1
- gVYfe7JSax5YAjEW8tmzMB8GA1UdIwQYMBaAFCj8lmcR7loB9zAP/feot1eIHWmI
- MA0GCSqGSIb3DQEBCwUAA4ICAQCZRStHCbwmhmH4tu7V5ammmQhn1TKcspV86cXz
- JQ4ZM11RvGpRLTmYuRkl5XloMuvB8yYAE1ihhkYOhgU6zSAj33kUQSx6cHXWau7T
- NjTchptKX+b17GR/yuFwIR3TugArBsnwyuUdts478gTY+MSgTOWWyOgWl3FujiEJ
- GJ7EgKde4jURXv2qjp6ZtSVqMlAa3y8C3S8nLdyt9Rf8CcSjEy/t8t0JhoMYCvxg
- o1k7QhMCfMYjjEIuEyDVOdCs2ExepG1zUVBP5h5239sXvLKrOZvgCZkslyTNd/m9
- vv4yR5gLgCdt0Ol1uip0p910PJoSqX6nZNfeCx3+Kgyc7crl8PrsnUAVoPgLxpVm
- FWF+KlUbh2KiYTuSi5cH0Ti9NtWT3Qi8d4WhmjFlu0zD3EJEUie0oYfHERiO9bVo
- 5EAzERSVhgQdxVOLgIc2Hbe1JYFf7idyqASRw6KdVkW6YIC/V/5efrJ1LZ5QNrdv
- bmfJ5CznE6o1AH9JsQ8xMi+kmyn/It1uMWIwP/tYyjQ98dlOj2k9CHP2RzrvCCY9
- yZNjs2QC5cleNdSpNMb2J2EUYTNAnaH3H8YdbT0scMHDvre1G7p4AjeuRJ9mW7VK
- Dcqbw+VdSAPyAFdiCd9x8AU3sr28vYbPbPp+LsHQXIlYdnVR0hh2UKF5lR8iuqVx
- y05cAQ==
- -----END CERTIFICATE-----`
- client2Key = `-----BEGIN RSA PRIVATE KEY-----
- MIIEpAIBAAKCAQEAv1GalMXj9eZYVwZj5qUuUnSOO9Ee+X8ZjdeBYWME0txbA6E/
- nr6kYCCOEKP8Km2hq5PwbG8we06FVqqZMmefIWD3bS4yrQQR2LEgjQqCmRFSU8+S
- XVt7IwikbBt8z1YRYyXGFvaSrK/whiCA1gH5LrsEfkfzR5FBUoxD+TfajAHPcAb7
- JMVfOGACScpDw/axvD41xzirHzVIR/v0H26jJAnhEydbKeuqN4papdmmdJuiuseI
- Ae7TOzWZzOHs7S2WwJ0FUITQWAkeouwxiNnbo7oz26Qqpkqkm+Np/t2tqPOOJOhJ
- 1O+hyUWcIXd8qcvQr03ZMmuSWyvmiiqPHxhR2wIDAQABAoIBAQCGAtE2uM8PJcRn
- YPCFVNr3ovEmcTszJJZvxq632rY8RWHzTvXTalKVivg4K8WsqpJ+LuhP7CqXlM7N
- gD5DElZi+RsXfS6+BoXBtYDJir0kHv/9+P3bKwM77QfPOgnY6b7QJlt1Jk5ja/Ic
- 4ZOdVFCJLTLeieOdE+AfxGSwozEQs9N3wBjPi6i5Rarc6i8HbuSemp/KfXrSR/Sh
- EFajk0l3nFVgr3VOLGsV/ieT6EW42p6ZA1ZBEi4sr4hN49zU2Vpj+lXBl/RhVGgM
- 6cSYJkOP98eD2t9cjHyZFqSw18/UqTNonMfoT2uvSNni9/jAouzkt7SwaPAqQpjE
- BfiJnK9RAoGBAMNdK6AhS+9ouQEP5v+9ubQ3AIEMYb+3uVR+1veCBqq49J0Z3tgk
- 7Ts5eflsYnddmtys+8CMnAvh+1EedK+X/MQyalQAUHke+llt94N+tHpSPDw/ZHOy
- koyLFg6efQr+626x6o33jqu+/9fu7Szxv41tmnCfh9hxGXda3aiWHsUdAoGBAPqz
- BQVWI7NOJmsiSB0OoDs+x3fqjp31IxEw63t+lDtSTTzxCU53sfie9vPsKdPFqR+d
- yNa5i5M8YDuaEjbN3hpuOpRWbfg2aPVyx3TNPp8bHNNUuJkCQ4Z2b0Imlv4Sycl+
- CCMMXvysIAomxkAZ3Q3BsSAZd2n+qvLvMt2jGZlXAoGAa/AhN1LOMpMojBauKSQ4
- 4wH0jFg79YHbqnx95rf3WQHhXJ87iS41yCAEbTNd39dexYfpfEPzv3j2sqXiEFYn
- +HpmVszpqVHdPeXM9+DcdCzVTPA1XtsNrwr1f9Q/AAFCMKGqFw/syqU3k6VVcxyK
- GeixiIILuyEZ0eDpUMjIbV0CgYBbwvLvhRwEIXLGfAHRQO09QjlYly4kevme7T0E
- Msym+fTzfXZelkk6K1VQ6vxUW2EQBXzhu4BvIAZJSpeoH6pQGlCuwwP1elTool6H
- TijBq/bdE4GN39o/eVI38FAMJ2xcqBjqWzjZW1dO3+poxA65XlAq46dl0KVZzlvb
- 7DsOeQKBgQCW8iELrECLQ9xhPbzqdNEOcI4wxEI8oDNLvUar/VnMrSUBxi/jo3j2
- 08IOKMKqSl+BX77ftgazhyL+hEgxlZuPKeqUuOWcNxuAs0vK6Gc5+Y9UpQEq78nH
- uaPG3o9EBDf5eFKi76o+pVtqxrwhY88M/Yw0ykEA6Nf7RCo2ucdemg==
- -----END RSA PRIVATE KEY-----`
- defaultAdminUsername = "admin"
- )
- var (
- configDir = filepath.Join(".", "..", "..")
- )
- type failingWriter struct {
- }
- func (r *failingWriter) Write(_ []byte) (n int, err error) {
- return 0, errors.New("write error")
- }
- func (r *failingWriter) WriteHeader(_ int) {}
- func (r *failingWriter) Header() http.Header {
- return make(http.Header)
- }
- func TestShouldBind(t *testing.T) {
- c := Conf{
- Bindings: []Binding{
- {
- Port: 10000,
- },
- },
- }
- require.False(t, c.ShouldBind())
- c.Bindings[0].EnableRESTAPI = true
- require.True(t, c.ShouldBind())
- c.Bindings[0].Port = 0
- require.False(t, c.ShouldBind())
- if runtime.GOOS != osWindows {
- c.Bindings[0].Address = "/absolute/path"
- require.True(t, c.ShouldBind())
- }
- }
- func TestBrandingValidation(t *testing.T) {
- b := Binding{
- Branding: Branding{
- WebAdmin: UIBranding{
- LogoPath: "path1",
- LoginImagePath: "login1.png",
- DefaultCSS: []string{"my.css"},
- },
- WebClient: UIBranding{
- FaviconPath: "favicon1.ico",
- DisclaimerPath: "../path2",
- ExtraCSS: []string{"1.css"},
- },
- },
- }
- b.checkBranding()
- assert.Equal(t, "/favicon.ico", b.Branding.WebAdmin.FaviconPath)
- assert.Equal(t, "/path1", b.Branding.WebAdmin.LogoPath)
- assert.Equal(t, "/login1.png", b.Branding.WebAdmin.LoginImagePath)
- assert.Equal(t, []string{"/my.css"}, b.Branding.WebAdmin.DefaultCSS)
- assert.Len(t, b.Branding.WebAdmin.ExtraCSS, 0)
- assert.Equal(t, "/favicon1.ico", b.Branding.WebClient.FaviconPath)
- assert.Equal(t, "/path2", b.Branding.WebClient.DisclaimerPath)
- assert.Equal(t, "/img/login_image.png", b.Branding.WebClient.LoginImagePath)
- if assert.Len(t, b.Branding.WebClient.ExtraCSS, 1) {
- assert.Equal(t, "/1.css", b.Branding.WebClient.ExtraCSS[0])
- }
- }
- func TestRedactedConf(t *testing.T) {
- c := Conf{
- SigningPassphrase: "passphrase",
- Setup: SetupConfig{
- InstallationCode: "123",
- },
- }
- redactedField := "[redacted]"
- redactedConf := c.getRedacted()
- assert.Equal(t, redactedField, redactedConf.SigningPassphrase)
- assert.Equal(t, redactedField, redactedConf.Setup.InstallationCode)
- assert.NotEqual(t, c.SigningPassphrase, redactedConf.SigningPassphrase)
- assert.NotEqual(t, c.Setup.InstallationCode, redactedConf.Setup.InstallationCode)
- }
- func TestGetRespStatus(t *testing.T) {
- var err error
- err = util.NewMethodDisabledError("")
- respStatus := getRespStatus(err)
- assert.Equal(t, http.StatusForbidden, respStatus)
- err = fmt.Errorf("generic error")
- respStatus = getRespStatus(err)
- assert.Equal(t, http.StatusInternalServerError, respStatus)
- respStatus = getRespStatus(plugin.ErrNoSearcher)
- assert.Equal(t, http.StatusNotImplemented, respStatus)
- }
- func TestMappedStatusCode(t *testing.T) {
- err := os.ErrPermission
- code := getMappedStatusCode(err)
- assert.Equal(t, http.StatusForbidden, code)
- err = os.ErrNotExist
- code = getMappedStatusCode(err)
- assert.Equal(t, http.StatusNotFound, code)
- err = common.ErrQuotaExceeded
- code = getMappedStatusCode(err)
- assert.Equal(t, http.StatusRequestEntityTooLarge, code)
- err = os.ErrClosed
- code = getMappedStatusCode(err)
- assert.Equal(t, http.StatusInternalServerError, code)
- err = &http.MaxBytesError{}
- code = getMappedStatusCode(err)
- assert.Equal(t, http.StatusRequestEntityTooLarge, code)
- }
- func TestGCSWebInvalidFormFile(t *testing.T) {
- form := make(url.Values)
- form.Set("username", "test_username")
- form.Set("fs_provider", "2")
- req, _ := http.NewRequest(http.MethodPost, webUserPath, strings.NewReader(form.Encode()))
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- err := req.ParseForm()
- assert.NoError(t, err)
- _, err = getFsConfigFromPostFields(req)
- assert.EqualError(t, err, http.ErrNotMultipart.Error())
- }
- func TestInvalidToken(t *testing.T) {
- server := httpdServer{}
- server.initializeRouter()
- admin := dataprovider.Admin{
- Username: "admin",
- }
- errFake := errors.New("fake error")
- asJSON, err := json.Marshal(admin)
- assert.NoError(t, err)
- req, _ := http.NewRequest(http.MethodPut, path.Join(adminPath, admin.Username), bytes.NewBuffer(asJSON))
- rctx := chi.NewRouteContext()
- rctx.URLParams.Add("username", admin.Username)
- req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
- req = req.WithContext(context.WithValue(req.Context(), jwtauth.ErrorCtxKey, errFake))
- rr := httptest.NewRecorder()
- updateAdmin(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- rr = httptest.NewRecorder()
- deleteAdmin(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- adminPwd := pwdChange{
- CurrentPassword: "old",
- NewPassword: "new",
- }
- asJSON, err = json.Marshal(adminPwd)
- assert.NoError(t, err)
- req, _ = http.NewRequest(http.MethodPut, "", bytes.NewBuffer(asJSON))
- req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
- req = req.WithContext(context.WithValue(req.Context(), jwtauth.ErrorCtxKey, errFake))
- rr = httptest.NewRecorder()
- changeAdminPassword(rr, req)
- assert.Equal(t, http.StatusInternalServerError, rr.Code)
- adm := getAdminFromToken(req)
- assert.Empty(t, adm.Username)
- rr = httptest.NewRecorder()
- readUserFolder(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- getUserFile(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- getUserFilesAsZipStream(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- getShares(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- getShareByID(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- addShare(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- updateShare(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- deleteShare(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- generateTOTPSecret(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- saveTOTPConfig(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- getRecoveryCodes(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- generateRecoveryCodes(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- getUserProfile(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- updateUserProfile(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- getAdminProfile(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- updateAdminProfile(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- loadData(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- loadDataFromRequest(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- addUser(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- disableUser2FA(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- updateUser(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- deleteUser(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- getActiveConnections(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- handleCloseConnection(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- server.handleWebRestore(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- rr = httptest.NewRecorder()
- server.handleWebAddUserPost(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- rr = httptest.NewRecorder()
- server.handleWebUpdateUserPost(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- rr = httptest.NewRecorder()
- server.handleWebTemplateFolderPost(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- rr = httptest.NewRecorder()
- server.handleWebTemplateUserPost(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- rr = httptest.NewRecorder()
- addFolder(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- updateFolder(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- getFolderByName(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- deleteFolder(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- server.handleWebAddFolderPost(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- rr = httptest.NewRecorder()
- server.handleWebUpdateFolderPost(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- rr = httptest.NewRecorder()
- server.handleWebGetConnections(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- rr = httptest.NewRecorder()
- server.handleWebConfigsPost(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- rr = httptest.NewRecorder()
- addAdmin(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- disableAdmin2FA(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- addAPIKey(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- updateAPIKey(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- deleteAPIKey(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- addGroup(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- updateGroup(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- getGroupByName(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- deleteGroup(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- addEventAction(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- getEventActionByName(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- updateEventAction(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- deleteEventAction(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- getEventRuleByName(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- addEventRule(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- updateEventRule(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- deleteEventRule(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- getMetadataChecks(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- startMetadataCheck(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- getUsersQuotaScans(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- updateUserTransferQuotaUsage(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- doUpdateUserQuotaUsage(rr, req, "", quotaUsage{})
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- doStartUserQuotaScan(rr, req, "")
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- getRetentionChecks(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- addRole(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- updateRole(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- deleteRole(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- getUsers(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- getUserByUsername(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- searchFsEvents(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- searchProviderEvents(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- searchLogEvents(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- addIPListEntry(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- updateIPListEntry(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- deleteIPListEntry(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- server.handleGetWebUsers(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- rr = httptest.NewRecorder()
- server.handleWebUpdateUserGet(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- rr = httptest.NewRecorder()
- server.handleWebUpdateRolePost(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- rr = httptest.NewRecorder()
- server.handleWebAddRolePost(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- rr = httptest.NewRecorder()
- server.handleWebAddAdminPost(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- rr = httptest.NewRecorder()
- server.handleWebAddGroupPost(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- rr = httptest.NewRecorder()
- server.handleWebUpdateGroupPost(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- rr = httptest.NewRecorder()
- server.handleWebAddEventActionPost(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- rr = httptest.NewRecorder()
- server.handleWebUpdateEventActionPost(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- rr = httptest.NewRecorder()
- server.handleWebAddEventRulePost(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- rr = httptest.NewRecorder()
- server.handleWebUpdateEventRulePost(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- rr = httptest.NewRecorder()
- server.handleWebUpdateIPListEntryPost(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- rr = httptest.NewRecorder()
- server.handleWebClientTwoFactorRecoveryPost(rr, req)
- assert.Equal(t, http.StatusNotFound, rr.Code)
- rr = httptest.NewRecorder()
- server.handleWebClientTwoFactorPost(rr, req)
- assert.Equal(t, http.StatusNotFound, rr.Code)
- rr = httptest.NewRecorder()
- server.handleWebAdminTwoFactorRecoveryPost(rr, req)
- assert.Equal(t, http.StatusNotFound, rr.Code)
- rr = httptest.NewRecorder()
- server.handleWebAdminTwoFactorPost(rr, req)
- assert.Equal(t, http.StatusNotFound, rr.Code)
- rr = httptest.NewRecorder()
- server.handleWebUpdateIPListEntryPost(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- form := make(url.Values)
- req, _ = http.NewRequest(http.MethodPost, webIPListPath+"/1", bytes.NewBuffer([]byte(form.Encode())))
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- rctx = chi.NewRouteContext()
- rctx.URLParams.Add("type", "1")
- req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
- rr = httptest.NewRecorder()
- server.handleWebAddIPListEntryPost(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code, rr.Body.String())
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- }
- func TestUpdateWebAdminInvalidClaims(t *testing.T) {
- server := httpdServer{}
- server.initializeRouter()
- rr := httptest.NewRecorder()
- admin := dataprovider.Admin{
- Username: "",
- Password: "password",
- }
- c := jwtTokenClaims{
- Username: admin.Username,
- Permissions: admin.Permissions,
- Signature: admin.GetSignature(),
- }
- token, err := c.createTokenResponse(server.tokenAuth, tokenAudienceWebAdmin, "")
- assert.NoError(t, err)
- form := make(url.Values)
- form.Set(csrfFormToken, createCSRFToken(""))
- form.Set("status", "1")
- form.Set("default_users_expiration", "30")
- req, _ := http.NewRequest(http.MethodPost, path.Join(webAdminPath, "admin"), bytes.NewBuffer([]byte(form.Encode())))
- rctx := chi.NewRouteContext()
- rctx.URLParams.Add("username", "admin")
- req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
- server.handleWebUpdateAdminPost(rr, req)
- assert.Equal(t, http.StatusOK, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- }
- func TestRetentionInvalidTokenClaims(t *testing.T) {
- username := "retentionuser"
- user := dataprovider.User{
- BaseUser: sdk.BaseUser{
- Username: username,
- Password: "pwd",
- HomeDir: filepath.Join(os.TempDir(), username),
- Status: 1,
- },
- }
- user.Permissions = make(map[string][]string)
- user.Permissions["/"] = []string{dataprovider.PermAny}
- user.Filters.AllowAPIKeyAuth = true
- err := dataprovider.AddUser(&user, "", "", "")
- assert.NoError(t, err)
- folderRetention := []dataprovider.FolderRetention{
- {
- Path: "/",
- Retention: 0,
- DeleteEmptyDirs: true,
- },
- }
- asJSON, err := json.Marshal(folderRetention)
- assert.NoError(t, err)
- req, _ := http.NewRequest(http.MethodPost, retentionBasePath+"/"+username+"/check?notifications=Email", bytes.NewBuffer(asJSON))
- rctx := chi.NewRouteContext()
- rctx.URLParams.Add("username", username)
- req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
- req = req.WithContext(context.WithValue(req.Context(), jwtauth.ErrorCtxKey, errors.New("error")))
- rr := httptest.NewRecorder()
- startRetentionCheck(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- err = dataprovider.DeleteUser(username, "", "", "")
- assert.NoError(t, err)
- }
- func TestUpdateSMTPSecrets(t *testing.T) {
- currentConfigs := &dataprovider.SMTPConfigs{
- OAuth2: dataprovider.SMTPOAuth2{
- ClientSecret: kms.NewPlainSecret("client secret"),
- RefreshToken: kms.NewPlainSecret("refresh token"),
- },
- }
- redactedClientSecret := kms.NewPlainSecret("secret")
- redactedRefreshToken := kms.NewPlainSecret("token")
- redactedClientSecret.SetStatus(sdkkms.SecretStatusRedacted)
- redactedRefreshToken.SetStatus(sdkkms.SecretStatusRedacted)
- newConfigs := &dataprovider.SMTPConfigs{
- Password: kms.NewPlainSecret("pwd"),
- OAuth2: dataprovider.SMTPOAuth2{
- ClientSecret: redactedClientSecret,
- RefreshToken: redactedRefreshToken,
- },
- }
- updateSMTPSecrets(newConfigs, currentConfigs)
- assert.Nil(t, currentConfigs.Password)
- assert.NotNil(t, newConfigs.Password)
- assert.Equal(t, currentConfigs.OAuth2.ClientSecret, newConfigs.OAuth2.ClientSecret)
- assert.Equal(t, currentConfigs.OAuth2.RefreshToken, newConfigs.OAuth2.RefreshToken)
- clientSecret := kms.NewPlainSecret("plain secret")
- refreshToken := kms.NewPlainSecret("plain token")
- newConfigs = &dataprovider.SMTPConfigs{
- Password: kms.NewPlainSecret("pwd"),
- OAuth2: dataprovider.SMTPOAuth2{
- ClientSecret: clientSecret,
- RefreshToken: refreshToken,
- },
- }
- updateSMTPSecrets(newConfigs, currentConfigs)
- assert.Equal(t, clientSecret, newConfigs.OAuth2.ClientSecret)
- assert.Equal(t, refreshToken, newConfigs.OAuth2.RefreshToken)
- }
- func TestOAuth2Redirect(t *testing.T) {
- server := httpdServer{}
- server.initializeRouter()
- rr := httptest.NewRecorder()
- req, err := http.NewRequest(http.MethodGet, webOAuth2RedirectPath+"?state=invalid", nil)
- assert.NoError(t, err)
- server.handleOAuth2TokenRedirect(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "token is unauthorized")
- ip := "127.1.1.4"
- tokenString := createOAuth2Token(xid.New().String(), ip)
- rr = httptest.NewRecorder()
- req, err = http.NewRequest(http.MethodGet, webOAuth2RedirectPath+"?state="+tokenString, nil) //nolint:goconst
- assert.NoError(t, err)
- req.RemoteAddr = ip
- server.handleOAuth2TokenRedirect(rr, req)
- assert.Equal(t, http.StatusInternalServerError, rr.Code)
- assert.Contains(t, rr.Body.String(), "no auth request found for the specified state")
- }
- func TestOAuth2Token(t *testing.T) {
- // invalid token
- _, err := verifyOAuth2Token("token", "")
- if assert.Error(t, err) {
- assert.Contains(t, err.Error(), "unable to verify OAuth2 state")
- }
- // bad audience
- claims := make(map[string]any)
- now := time.Now().UTC()
- claims[jwt.JwtIDKey] = xid.New().String()
- claims[jwt.NotBeforeKey] = now.Add(-30 * time.Second)
- claims[jwt.ExpirationKey] = now.Add(tokenDuration)
- claims[jwt.AudienceKey] = []string{tokenAudienceAPI}
- _, tokenString, err := csrfTokenAuth.Encode(claims)
- assert.NoError(t, err)
- _, err = verifyOAuth2Token(tokenString, "")
- if assert.Error(t, err) {
- assert.Contains(t, err.Error(), "invalid OAuth2 state")
- }
- // bad IP
- tokenString = createOAuth2Token("state", "127.1.1.1")
- _, err = verifyOAuth2Token(tokenString, "127.1.1.2")
- if assert.Error(t, err) {
- assert.Contains(t, err.Error(), "invalid OAuth2 state")
- }
- // ok
- state := xid.New().String()
- tokenString = createOAuth2Token(state, "127.1.1.3")
- s, err := verifyOAuth2Token(tokenString, "127.1.1.3")
- assert.NoError(t, err)
- assert.Equal(t, state, s)
- // no jti
- claims = make(map[string]any)
- claims[jwt.NotBeforeKey] = now.Add(-30 * time.Second)
- claims[jwt.ExpirationKey] = now.Add(tokenDuration)
- claims[jwt.AudienceKey] = []string{tokenAudienceOAuth2, "127.1.1.4"}
- _, tokenString, err = csrfTokenAuth.Encode(claims)
- assert.NoError(t, err)
- _, err = verifyOAuth2Token(tokenString, "127.1.1.4")
- if assert.Error(t, err) {
- assert.Contains(t, err.Error(), "invalid OAuth2 state")
- }
- // encode error
- csrfTokenAuth = jwtauth.New("HT256", util.GenerateRandomBytes(32), nil)
- tokenString = createOAuth2Token(xid.New().String(), "")
- assert.Empty(t, tokenString)
- server := httpdServer{}
- server.initializeRouter()
- rr := httptest.NewRecorder()
- testReq := make(map[string]any)
- testReq["base_redirect_url"] = "http://localhost:8082"
- asJSON, err := json.Marshal(testReq)
- assert.NoError(t, err)
- req, err := http.NewRequest(http.MethodPost, webOAuth2TokenPath, bytes.NewBuffer(asJSON))
- assert.NoError(t, err)
- handleSMTPOAuth2TokenRequestPost(rr, req)
- assert.Equal(t, http.StatusInternalServerError, rr.Code)
- assert.Contains(t, rr.Body.String(), "unable to create state token")
- csrfTokenAuth = jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil)
- }
- func TestCSRFToken(t *testing.T) {
- // invalid token
- err := verifyCSRFToken("token", "")
- if assert.Error(t, err) {
- assert.Contains(t, err.Error(), "unable to verify form token")
- }
- // bad audience
- claims := make(map[string]any)
- now := time.Now().UTC()
- claims[jwt.JwtIDKey] = xid.New().String()
- claims[jwt.NotBeforeKey] = now.Add(-30 * time.Second)
- claims[jwt.ExpirationKey] = now.Add(tokenDuration)
- claims[jwt.AudienceKey] = []string{tokenAudienceAPI}
- _, tokenString, err := csrfTokenAuth.Encode(claims)
- assert.NoError(t, err)
- err = verifyCSRFToken(tokenString, "")
- if assert.Error(t, err) {
- assert.Contains(t, err.Error(), "form token is not valid")
- }
- // bad IP
- tokenString = createCSRFToken("127.1.1.1")
- err = verifyCSRFToken(tokenString, "127.1.1.2")
- if assert.Error(t, err) {
- assert.Contains(t, err.Error(), "form token is not valid")
- }
- claims[jwt.JwtIDKey] = xid.New().String()
- claims[jwt.NotBeforeKey] = now.Add(-30 * time.Second)
- claims[jwt.ExpirationKey] = now.Add(tokenDuration)
- claims[jwt.AudienceKey] = []string{tokenAudienceAPI}
- _, tokenString, err = csrfTokenAuth.Encode(claims)
- assert.NoError(t, err)
- r := GetHTTPRouter(Binding{
- Address: "",
- Port: 8080,
- EnableWebAdmin: true,
- EnableWebClient: true,
- EnableRESTAPI: true,
- RenderOpenAPI: true,
- })
- fn := verifyCSRFHeader(r)
- rr := httptest.NewRecorder()
- req, _ := http.NewRequest(http.MethodDelete, path.Join(userPath, "username"), nil)
- fn.ServeHTTP(rr, req)
- assert.Equal(t, http.StatusForbidden, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token")
- // invalid audience
- req.Header.Set(csrfHeaderToken, tokenString)
- rr = httptest.NewRecorder()
- fn.ServeHTTP(rr, req)
- assert.Equal(t, http.StatusForbidden, rr.Code)
- assert.Contains(t, rr.Body.String(), "the token is not valid")
- // invalid IP
- tokenString = createCSRFToken("172.16.1.2")
- req.Header.Set(csrfHeaderToken, tokenString)
- rr = httptest.NewRecorder()
- fn.ServeHTTP(rr, req)
- assert.Equal(t, http.StatusForbidden, rr.Code)
- assert.Contains(t, rr.Body.String(), "the token is not valid")
- csrfTokenAuth = jwtauth.New("PS256", util.GenerateRandomBytes(32), nil)
- tokenString = createCSRFToken("")
- assert.Empty(t, tokenString)
- csrfTokenAuth = jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil)
- }
- func TestCreateShareCookieError(t *testing.T) {
- username := "share_user"
- pwd := util.GenerateUniqueID()
- user := &dataprovider.User{
- BaseUser: sdk.BaseUser{
- Username: username,
- Password: pwd,
- HomeDir: filepath.Join(os.TempDir(), username),
- Status: 1,
- Permissions: map[string][]string{
- "/": {dataprovider.PermAny},
- },
- },
- }
- err := dataprovider.AddUser(user, "", "", "")
- assert.NoError(t, err)
- share := &dataprovider.Share{
- Name: "test share cookie error",
- ShareID: util.GenerateUniqueID(),
- Scope: dataprovider.ShareScopeRead,
- Password: pwd,
- Paths: []string{"/"},
- Username: username,
- }
- err = dataprovider.AddShare(share, "", "", "")
- assert.NoError(t, err)
- server := httpdServer{
- tokenAuth: jwtauth.New("TS256", util.GenerateRandomBytes(32), nil),
- }
- form := make(url.Values)
- form.Set("share_password", pwd)
- form.Set(csrfFormToken, createCSRFToken("127.0.0.1"))
- rctx := chi.NewRouteContext()
- rctx.URLParams.Add("id", share.ShareID)
- rr := httptest.NewRecorder()
- req, err := http.NewRequest(http.MethodPost, path.Join(webClientPubSharesPath, share.ShareID, "login"),
- bytes.NewBuffer([]byte(form.Encode())))
- assert.NoError(t, err)
- req.RemoteAddr = "127.0.0.1:2345"
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
- server.handleClientShareLoginPost(rr, req)
- assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
- assert.Contains(t, rr.Body.String(), common.ErrInternalFailure.Error())
- err = dataprovider.DeleteUser(username, "", "", "")
- assert.NoError(t, err)
- }
- func TestCreateTokenError(t *testing.T) {
- server := httpdServer{
- tokenAuth: jwtauth.New("PS256", util.GenerateRandomBytes(32), nil),
- }
- rr := httptest.NewRecorder()
- admin := dataprovider.Admin{
- Username: defaultAdminUsername,
- Password: "password",
- }
- req, _ := http.NewRequest(http.MethodGet, tokenPath, nil)
- server.generateAndSendToken(rr, req, admin, "")
- assert.Equal(t, http.StatusInternalServerError, rr.Code)
- rr = httptest.NewRecorder()
- user := dataprovider.User{
- BaseUser: sdk.BaseUser{
- Username: "u",
- Password: util.GenerateUniqueID(),
- },
- }
- req, _ = http.NewRequest(http.MethodGet, userTokenPath, nil)
- server.generateAndSendUserToken(rr, req, "", user)
- assert.Equal(t, http.StatusInternalServerError, rr.Code)
- rr = httptest.NewRecorder()
- form := make(url.Values)
- form.Set("username", admin.Username)
- form.Set("password", admin.Password)
- form.Set(csrfFormToken, createCSRFToken("127.0.0.1"))
- req, _ = http.NewRequest(http.MethodPost, webAdminLoginPath, bytes.NewBuffer([]byte(form.Encode())))
- req.RemoteAddr = "127.0.0.1:1234"
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- server.handleWebAdminLoginPost(rr, req)
- assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
- // req with no content type
- req, _ = http.NewRequest(http.MethodPost, webAdminLoginPath, nil)
- rr = httptest.NewRecorder()
- server.handleWebAdminLoginPost(rr, req)
- assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
- req, _ = http.NewRequest(http.MethodPost, webAdminSetupPath, nil)
- rr = httptest.NewRecorder()
- server.loginAdmin(rr, req, &admin, false, nil, "")
- // req with no POST body
- req, _ = http.NewRequest(http.MethodGet, webAdminLoginPath+"?a=a%C3%AO%GG", nil)
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- rr = httptest.NewRecorder()
- server.handleWebAdminLoginPost(rr, req)
- assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
- req, _ = http.NewRequest(http.MethodGet, webAdminLoginPath+"?a=a%C3%A1%G2", nil)
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- rr = httptest.NewRecorder()
- server.handleWebAdminChangePwdPost(rr, req)
- assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
- assert.Contains(t, rr.Body.String(), "invalid URL escape")
- req, _ = http.NewRequest(http.MethodGet, webAdminLoginPath+"?a=a%C3%A2%G3", nil)
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- _, err := getAdminFromPostFields(req)
- assert.Error(t, err)
- req, _ = http.NewRequest(http.MethodPost, webAdminEventActionPath+"?a=a%C3%A2%GG", nil)
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- _, err = getEventActionFromPostFields(req)
- assert.Error(t, err)
- req, _ = http.NewRequest(http.MethodPost, webAdminEventRulePath+"?a=a%C3%A3%GG", nil)
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- _, err = getEventRuleFromPostFields(req)
- assert.Error(t, err)
- req, _ = http.NewRequest(http.MethodPost, webIPListPath+"/1?a=a%C3%AO%GG", nil)
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- _, err = getIPListEntryFromPostFields(req, dataprovider.IPListTypeAllowList)
- assert.Error(t, err)
- req, _ = http.NewRequest(http.MethodPost, path.Join(webClientSharePath, "shareID", "login?a=a%C3%AO%GG"), bytes.NewBuffer([]byte(form.Encode())))
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- rr = httptest.NewRecorder()
- server.handleClientShareLoginPost(rr, req)
- assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
- req, _ = http.NewRequest(http.MethodPost, webClientLoginPath+"?a=a%C3%AO%GG", bytes.NewBuffer([]byte(form.Encode())))
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- rr = httptest.NewRecorder()
- server.handleWebClientLoginPost(rr, req)
- assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
- req, _ = http.NewRequest(http.MethodPost, webChangeClientPwdPath+"?a=a%C3%AO%GA", bytes.NewBuffer([]byte(form.Encode())))
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- rr = httptest.NewRecorder()
- server.handleWebClientChangePwdPost(rr, req)
- assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
- assert.Contains(t, rr.Body.String(), "invalid URL escape")
- req, _ = http.NewRequest(http.MethodPost, webClientProfilePath+"?a=a%C3%AO%GB", bytes.NewBuffer([]byte(form.Encode())))
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- rr = httptest.NewRecorder()
- server.handleWebClientProfilePost(rr, req)
- assert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String())
- req, _ = http.NewRequest(http.MethodPost, webAdminProfilePath+"?a=a%C3%AO%GB", bytes.NewBuffer([]byte(form.Encode())))
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- rr = httptest.NewRecorder()
- server.handleWebAdminProfilePost(rr, req)
- assert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String())
- req, _ = http.NewRequest(http.MethodPost, webAdminTwoFactorPath+"?a=a%C3%AO%GC", bytes.NewBuffer([]byte(form.Encode())))
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- rr = httptest.NewRecorder()
- server.handleWebAdminTwoFactorPost(rr, req)
- assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
- assert.Contains(t, rr.Body.String(), "invalid URL escape")
- req, _ = http.NewRequest(http.MethodPost, webAdminTwoFactorRecoveryPath+"?a=a%C3%AO%GD", bytes.NewBuffer([]byte(form.Encode())))
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- rr = httptest.NewRecorder()
- server.handleWebAdminTwoFactorRecoveryPost(rr, req)
- assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
- assert.Contains(t, rr.Body.String(), "invalid URL escape")
- req, _ = http.NewRequest(http.MethodPost, webClientTwoFactorPath+"?a=a%C3%AO%GC", bytes.NewBuffer([]byte(form.Encode())))
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- rr = httptest.NewRecorder()
- server.handleWebClientTwoFactorPost(rr, req)
- assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
- assert.Contains(t, rr.Body.String(), "invalid URL escape")
- req, _ = http.NewRequest(http.MethodPost, webClientTwoFactorRecoveryPath+"?a=a%C3%AO%GD", bytes.NewBuffer([]byte(form.Encode())))
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- rr = httptest.NewRecorder()
- server.handleWebClientTwoFactorRecoveryPost(rr, req)
- assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
- assert.Contains(t, rr.Body.String(), "invalid URL escape")
- req, _ = http.NewRequest(http.MethodPost, webAdminForgotPwdPath+"?a=a%C3%A1%GD", bytes.NewBuffer([]byte(form.Encode())))
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- rr = httptest.NewRecorder()
- server.handleWebAdminForgotPwdPost(rr, req)
- assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
- assert.Contains(t, rr.Body.String(), "invalid URL escape")
- req, _ = http.NewRequest(http.MethodPost, webClientForgotPwdPath+"?a=a%C2%A1%GD", bytes.NewBuffer([]byte(form.Encode())))
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- rr = httptest.NewRecorder()
- server.handleWebClientForgotPwdPost(rr, req)
- assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
- assert.Contains(t, rr.Body.String(), "invalid URL escape")
- req, _ = http.NewRequest(http.MethodPost, webAdminResetPwdPath+"?a=a%C3%AO%JD", bytes.NewBuffer([]byte(form.Encode())))
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- rr = httptest.NewRecorder()
- server.handleWebAdminPasswordResetPost(rr, req)
- assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
- assert.Contains(t, rr.Body.String(), "invalid URL escape")
- req, _ = http.NewRequest(http.MethodPost, webAdminRolePath+"?a=a%C3%AO%JE", bytes.NewBuffer([]byte(form.Encode())))
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- rr = httptest.NewRecorder()
- server.handleWebAddRolePost(rr, req)
- assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
- assert.Contains(t, rr.Body.String(), "invalid URL escape")
- req, _ = http.NewRequest(http.MethodPost, webClientResetPwdPath+"?a=a%C3%AO%JD", bytes.NewBuffer([]byte(form.Encode())))
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- rr = httptest.NewRecorder()
- server.handleWebClientPasswordResetPost(rr, req)
- assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
- assert.Contains(t, rr.Body.String(), "invalid URL escape")
- req, _ = http.NewRequest(http.MethodPost, webChangeClientPwdPath+"?a=a%K3%AO%GA", bytes.NewBuffer([]byte(form.Encode())))
- _, err = getShareFromPostFields(req)
- if assert.Error(t, err) {
- assert.Contains(t, err.Error(), "invalid URL escape")
- }
- username := "webclientuser"
- user = dataprovider.User{
- BaseUser: sdk.BaseUser{
- Username: username,
- Password: "clientpwd",
- HomeDir: filepath.Join(os.TempDir(), username),
- Status: 1,
- Description: "test user",
- },
- }
- user.Permissions = make(map[string][]string)
- user.Permissions["/"] = []string{dataprovider.PermAny}
- user.Filters.AllowAPIKeyAuth = true
- err = dataprovider.AddUser(&user, "", "", "")
- assert.NoError(t, err)
- rr = httptest.NewRecorder()
- form = make(url.Values)
- form.Set("username", user.Username)
- form.Set("password", "clientpwd")
- form.Set(csrfFormToken, createCSRFToken("127.0.0.1"))
- req, _ = http.NewRequest(http.MethodPost, webClientLoginPath, bytes.NewBuffer([]byte(form.Encode())))
- req.RemoteAddr = "127.0.0.1:4567"
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- server.handleWebClientLoginPost(rr, req)
- assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
- err = authenticateUserWithAPIKey(username, "", server.tokenAuth, req)
- assert.Error(t, err)
- err = dataprovider.DeleteUser(username, "", "", "")
- assert.NoError(t, err)
- err = os.RemoveAll(user.HomeDir)
- assert.NoError(t, err)
- admin.Username += "1"
- admin.Status = 1
- admin.Filters.AllowAPIKeyAuth = true
- admin.Permissions = []string{dataprovider.PermAdminAny}
- err = dataprovider.AddAdmin(&admin, "", "", "")
- assert.NoError(t, err)
- err = authenticateAdminWithAPIKey(admin.Username, "", server.tokenAuth, req)
- assert.Error(t, err)
- err = dataprovider.DeleteAdmin(admin.Username, "", "", "")
- assert.NoError(t, err)
- }
- func TestAPIKeyAuthForbidden(t *testing.T) {
- r := GetHTTPRouter(Binding{
- Address: "",
- Port: 8080,
- EnableWebAdmin: true,
- EnableWebClient: true,
- EnableRESTAPI: true,
- RenderOpenAPI: true,
- })
- fn := forbidAPIKeyAuthentication(r)
- rr := httptest.NewRecorder()
- req, _ := http.NewRequest(http.MethodGet, versionPath, nil)
- fn.ServeHTTP(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- }
- func TestJWTTokenValidation(t *testing.T) {
- tokenAuth := jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil)
- claims := make(map[string]any)
- claims["username"] = defaultAdminUsername
- claims[jwt.ExpirationKey] = time.Now().UTC().Add(-1 * time.Hour)
- token, _, err := tokenAuth.Encode(claims)
- assert.NoError(t, err)
- server := httpdServer{
- binding: Binding{
- Address: "",
- Port: 8080,
- EnableWebAdmin: true,
- EnableWebClient: true,
- EnableRESTAPI: true,
- RenderOpenAPI: true,
- },
- }
- server.initializeRouter()
- r := server.router
- fn := jwtAuthenticatorAPI(r)
- rr := httptest.NewRecorder()
- req, _ := http.NewRequest(http.MethodGet, userPath, nil)
- ctx := jwtauth.NewContext(req.Context(), token, nil)
- fn.ServeHTTP(rr, req.WithContext(ctx))
- assert.Equal(t, http.StatusUnauthorized, rr.Code)
- fn = jwtAuthenticatorWebAdmin(r)
- rr = httptest.NewRecorder()
- req, _ = http.NewRequest(http.MethodGet, webUserPath, nil)
- ctx = jwtauth.NewContext(req.Context(), token, nil)
- fn.ServeHTTP(rr, req.WithContext(ctx))
- assert.Equal(t, http.StatusFound, rr.Code)
- assert.Equal(t, webAdminLoginPath, rr.Header().Get("Location"))
- fn = jwtAuthenticatorWebClient(r)
- rr = httptest.NewRecorder()
- req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
- ctx = jwtauth.NewContext(req.Context(), token, nil)
- fn.ServeHTTP(rr, req.WithContext(ctx))
- assert.Equal(t, http.StatusFound, rr.Code)
- assert.Equal(t, webClientLoginPath, rr.Header().Get("Location"))
- errTest := errors.New("test error")
- permFn := server.checkPerm(dataprovider.PermAdminAny)
- fn = permFn(r)
- rr = httptest.NewRecorder()
- req, _ = http.NewRequest(http.MethodGet, userPath, nil)
- ctx = jwtauth.NewContext(req.Context(), token, errTest)
- fn.ServeHTTP(rr, req.WithContext(ctx))
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- permFn = server.checkPerm(dataprovider.PermAdminAny)
- fn = permFn(r)
- rr = httptest.NewRecorder()
- req, _ = http.NewRequest(http.MethodGet, webUserPath, nil)
- req.RequestURI = webUserPath
- ctx = jwtauth.NewContext(req.Context(), token, errTest)
- fn.ServeHTTP(rr, req.WithContext(ctx))
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- permClientFn := server.checkHTTPUserPerm(sdk.WebClientPubKeyChangeDisabled)
- fn = permClientFn(r)
- rr = httptest.NewRecorder()
- req, _ = http.NewRequest(http.MethodPost, webClientProfilePath, nil)
- req.RequestURI = webClientProfilePath
- ctx = jwtauth.NewContext(req.Context(), token, errTest)
- fn.ServeHTTP(rr, req.WithContext(ctx))
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- rr = httptest.NewRecorder()
- req, _ = http.NewRequest(http.MethodPost, userProfilePath, nil)
- req.RequestURI = userProfilePath
- ctx = jwtauth.NewContext(req.Context(), token, errTest)
- fn.ServeHTTP(rr, req.WithContext(ctx))
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- fn = server.checkAuthRequirements(r)
- rr = httptest.NewRecorder()
- req, _ = http.NewRequest(http.MethodPost, webClientProfilePath, nil)
- req.RequestURI = webClientProfilePath
- ctx = jwtauth.NewContext(req.Context(), token, errTest)
- fn.ServeHTTP(rr, req.WithContext(ctx))
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- rr = httptest.NewRecorder()
- req, _ = http.NewRequest(http.MethodPost, userSharesPath, nil)
- req.RequestURI = userSharesPath
- ctx = jwtauth.NewContext(req.Context(), token, errTest)
- fn.ServeHTTP(rr, req.WithContext(ctx))
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- }
- func TestUpdateContextFromCookie(t *testing.T) {
- server := httpdServer{
- tokenAuth: jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil),
- }
- req, _ := http.NewRequest(http.MethodGet, tokenPath, nil)
- claims := make(map[string]any)
- claims["a"] = "b"
- token, _, err := server.tokenAuth.Encode(claims)
- assert.NoError(t, err)
- ctx := jwtauth.NewContext(req.Context(), token, nil)
- server.updateContextFromCookie(req.WithContext(ctx))
- }
- func TestCookieExpiration(t *testing.T) {
- server := httpdServer{
- tokenAuth: jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil),
- }
- err := errors.New("test error")
- rr := httptest.NewRecorder()
- req, _ := http.NewRequest(http.MethodGet, tokenPath, nil)
- ctx := jwtauth.NewContext(req.Context(), nil, err)
- server.checkCookieExpiration(rr, req.WithContext(ctx))
- cookie := rr.Header().Get("Set-Cookie")
- assert.Empty(t, cookie)
- req, _ = http.NewRequest(http.MethodGet, tokenPath, nil)
- claims := make(map[string]any)
- claims["a"] = "b"
- token, _, err := server.tokenAuth.Encode(claims)
- assert.NoError(t, err)
- ctx = jwtauth.NewContext(req.Context(), token, nil)
- server.checkCookieExpiration(rr, req.WithContext(ctx))
- cookie = rr.Header().Get("Set-Cookie")
- assert.Empty(t, cookie)
- admin := dataprovider.Admin{
- Username: "newtestadmin",
- Password: "password",
- Permissions: []string{dataprovider.PermAdminAny},
- }
- claims = make(map[string]any)
- claims[claimUsernameKey] = admin.Username
- claims[claimPermissionsKey] = admin.Permissions
- claims[jwt.SubjectKey] = admin.GetSignature()
- claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute)
- claims[jwt.AudienceKey] = []string{tokenAudienceAPI}
- token, _, err = server.tokenAuth.Encode(claims)
- assert.NoError(t, err)
- req, _ = http.NewRequest(http.MethodGet, tokenPath, nil)
- ctx = jwtauth.NewContext(req.Context(), token, nil)
- server.checkCookieExpiration(rr, req.WithContext(ctx))
- cookie = rr.Header().Get("Set-Cookie")
- assert.Empty(t, cookie)
- admin.Status = 0
- err = dataprovider.AddAdmin(&admin, "", "", "")
- assert.NoError(t, err)
- req, _ = http.NewRequest(http.MethodGet, tokenPath, nil)
- ctx = jwtauth.NewContext(req.Context(), token, nil)
- server.checkCookieExpiration(rr, req.WithContext(ctx))
- cookie = rr.Header().Get("Set-Cookie")
- assert.Empty(t, cookie)
- admin.Status = 1
- admin.Filters.AllowList = []string{"172.16.1.0/24"}
- err = dataprovider.UpdateAdmin(&admin, "", "", "")
- assert.NoError(t, err)
- req, _ = http.NewRequest(http.MethodGet, tokenPath, nil)
- ctx = jwtauth.NewContext(req.Context(), token, nil)
- server.checkCookieExpiration(rr, req.WithContext(ctx))
- cookie = rr.Header().Get("Set-Cookie")
- assert.Empty(t, cookie)
- admin, err = dataprovider.AdminExists(admin.Username)
- assert.NoError(t, err)
- claims = make(map[string]any)
- claims[claimUsernameKey] = admin.Username
- claims[claimPermissionsKey] = admin.Permissions
- claims[jwt.SubjectKey] = admin.GetSignature()
- claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute)
- claims[jwt.AudienceKey] = []string{tokenAudienceAPI}
- token, _, err = server.tokenAuth.Encode(claims)
- assert.NoError(t, err)
- req, _ = http.NewRequest(http.MethodGet, tokenPath, nil)
- req.RemoteAddr = "192.168.8.1:1234"
- ctx = jwtauth.NewContext(req.Context(), token, nil)
- server.checkCookieExpiration(rr, req.WithContext(ctx))
- cookie = rr.Header().Get("Set-Cookie")
- assert.Empty(t, cookie)
- req, _ = http.NewRequest(http.MethodGet, tokenPath, nil)
- req.RemoteAddr = "172.16.1.12:4567"
- ctx = jwtauth.NewContext(req.Context(), token, nil)
- server.checkCookieExpiration(rr, req.WithContext(ctx))
- cookie = rr.Header().Get("Set-Cookie")
- assert.True(t, strings.HasPrefix(cookie, "jwt="))
- err = dataprovider.DeleteAdmin(admin.Username, "", "", "")
- assert.NoError(t, err)
- // now check client cookie expiration
- username := "client"
- user := dataprovider.User{
- BaseUser: sdk.BaseUser{
- Username: username,
- Password: "clientpwd",
- HomeDir: filepath.Join(os.TempDir(), username),
- Status: 1,
- Description: "test user",
- },
- }
- user.Permissions = make(map[string][]string)
- user.Permissions["/"] = []string{"*"}
- claims = make(map[string]any)
- claims[claimUsernameKey] = user.Username
- claims[claimPermissionsKey] = user.Filters.WebClient
- claims[jwt.SubjectKey] = user.GetSignature()
- claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute)
- claims[jwt.AudienceKey] = []string{tokenAudienceWebClient}
- token, _, err = server.tokenAuth.Encode(claims)
- assert.NoError(t, err)
- rr = httptest.NewRecorder()
- req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
- ctx = jwtauth.NewContext(req.Context(), token, nil)
- server.checkCookieExpiration(rr, req.WithContext(ctx))
- cookie = rr.Header().Get("Set-Cookie")
- assert.Empty(t, cookie)
- // the password will be hashed and so the signature will change
- err = dataprovider.AddUser(&user, "", "", "")
- assert.NoError(t, err)
- req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
- ctx = jwtauth.NewContext(req.Context(), token, nil)
- server.checkCookieExpiration(rr, req.WithContext(ctx))
- cookie = rr.Header().Get("Set-Cookie")
- assert.Empty(t, cookie)
- user, err = dataprovider.UserExists(user.Username, "")
- assert.NoError(t, err)
- user.Filters.AllowedIP = []string{"172.16.4.0/24"}
- err = dataprovider.UpdateUser(&user, "", "", "")
- assert.NoError(t, err)
- user, err = dataprovider.UserExists(user.Username, "")
- assert.NoError(t, err)
- claims = make(map[string]any)
- claims[claimUsernameKey] = user.Username
- claims[claimPermissionsKey] = user.Filters.WebClient
- claims[jwt.SubjectKey] = user.GetSignature()
- claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute)
- claims[jwt.AudienceKey] = []string{tokenAudienceWebClient}
- token, _, err = server.tokenAuth.Encode(claims)
- assert.NoError(t, err)
- req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
- req.RemoteAddr = "172.16.3.12:4567"
- ctx = jwtauth.NewContext(req.Context(), token, nil)
- server.checkCookieExpiration(rr, req.WithContext(ctx))
- cookie = rr.Header().Get("Set-Cookie")
- assert.Empty(t, cookie)
- req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
- req.RemoteAddr = "172.16.4.16:4567"
- ctx = jwtauth.NewContext(req.Context(), token, nil)
- server.checkCookieExpiration(rr, req.WithContext(ctx))
- cookie = rr.Header().Get("Set-Cookie")
- assert.NotEmpty(t, cookie)
- err = dataprovider.DeleteUser(user.Username, "", "", "")
- assert.NoError(t, err)
- }
- func TestGetURLParam(t *testing.T) {
- req, _ := http.NewRequest(http.MethodGet, adminPwdPath, nil)
- rctx := chi.NewRouteContext()
- rctx.URLParams.Add("val", "testuser%C3%A0")
- rctx.URLParams.Add("inval", "testuser%C3%AO%GG")
- req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
- escaped := getURLParam(req, "val")
- assert.Equal(t, "testuserà", escaped)
- escaped = getURLParam(req, "inval")
- assert.Equal(t, "testuser%C3%AO%GG", escaped)
- }
- func TestChangePwdValidationErrors(t *testing.T) {
- err := doChangeAdminPassword(nil, "", "", "")
- require.Error(t, err)
- err = doChangeAdminPassword(nil, "a", "b", "c")
- require.Error(t, err)
- err = doChangeAdminPassword(nil, "a", "a", "a")
- require.Error(t, err)
- req, _ := http.NewRequest(http.MethodPut, adminPwdPath, nil)
- err = doChangeAdminPassword(req, "currentpwd", "newpwd", "newpwd")
- assert.Error(t, err)
- }
- func TestRenderUnexistingFolder(t *testing.T) {
- rr := httptest.NewRecorder()
- req, _ := http.NewRequest(http.MethodPost, folderPath, nil)
- renderFolder(rr, req, "path not mapped", &jwtTokenClaims{}, http.StatusOK)
- assert.Equal(t, http.StatusNotFound, rr.Code)
- }
- func TestCloseConnectionHandler(t *testing.T) {
- tokenAuth := jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil)
- claims := make(map[string]any)
- claims["username"] = defaultAdminUsername
- claims[jwt.ExpirationKey] = time.Now().UTC().Add(1 * time.Hour)
- token, _, err := tokenAuth.Encode(claims)
- assert.NoError(t, err)
- req, err := http.NewRequest(http.MethodDelete, activeConnectionsPath+"/connectionID", nil)
- assert.NoError(t, err)
- rctx := chi.NewRouteContext()
- rctx.URLParams.Add("connectionID", "")
- req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
- req = req.WithContext(context.WithValue(req.Context(), jwtauth.TokenCtxKey, token))
- rr := httptest.NewRecorder()
- handleCloseConnection(rr, req)
- assert.Equal(t, http.StatusBadRequest, rr.Code)
- assert.Contains(t, rr.Body.String(), "connectionID is mandatory")
- }
- func TestRenderInvalidTemplate(t *testing.T) {
- tmpl, err := template.New("test").Parse("{{.Count}}")
- if assert.NoError(t, err) {
- noMatchTmpl := "no_match"
- adminTemplates[noMatchTmpl] = tmpl
- rw := httptest.NewRecorder()
- renderAdminTemplate(rw, noMatchTmpl, map[string]string{})
- assert.Equal(t, http.StatusInternalServerError, rw.Code)
- clientTemplates[noMatchTmpl] = tmpl
- renderClientTemplate(rw, noMatchTmpl, map[string]string{})
- assert.Equal(t, http.StatusInternalServerError, rw.Code)
- }
- }
- func TestQuotaScanInvalidFs(t *testing.T) {
- user := dataprovider.User{
- BaseUser: sdk.BaseUser{
- Username: "test",
- HomeDir: os.TempDir(),
- },
- FsConfig: vfs.Filesystem{
- Provider: sdk.S3FilesystemProvider,
- },
- }
- common.QuotaScans.AddUserQuotaScan(user.Username, "")
- err := doUserQuotaScan(user)
- assert.Error(t, err)
- }
- func TestVerifyTLSConnection(t *testing.T) {
- oldCertMgr := certMgr
- caCrlPath := filepath.Join(os.TempDir(), "testcrl.crt")
- certPath := filepath.Join(os.TempDir(), "testh.crt")
- keyPath := filepath.Join(os.TempDir(), "testh.key")
- err := os.WriteFile(caCrlPath, []byte(caCRL), os.ModePerm)
- assert.NoError(t, err)
- err = os.WriteFile(certPath, []byte(httpdCert), os.ModePerm)
- assert.NoError(t, err)
- err = os.WriteFile(keyPath, []byte(httpdKey), os.ModePerm)
- assert.NoError(t, err)
- keyPairs := []common.TLSKeyPair{
- {
- Cert: certPath,
- Key: keyPath,
- ID: common.DefaultTLSKeyPaidID,
- },
- }
- certMgr, err = common.NewCertManager(keyPairs, "", "httpd_test")
- assert.NoError(t, err)
- certMgr.SetCARevocationLists([]string{caCrlPath})
- err = certMgr.LoadCRLs()
- assert.NoError(t, err)
- crt, err := tls.X509KeyPair([]byte(client1Crt), []byte(client1Key))
- assert.NoError(t, err)
- x509crt, err := x509.ParseCertificate(crt.Certificate[0])
- assert.NoError(t, err)
- server := httpdServer{}
- state := tls.ConnectionState{
- PeerCertificates: []*x509.Certificate{x509crt},
- }
- err = server.verifyTLSConnection(state)
- assert.Error(t, err) // no verified certification chain
- crt, err = tls.X509KeyPair([]byte(caCRT), []byte(caKey))
- assert.NoError(t, err)
- x509CAcrt, err := x509.ParseCertificate(crt.Certificate[0])
- assert.NoError(t, err)
- state.VerifiedChains = append(state.VerifiedChains, []*x509.Certificate{x509crt, x509CAcrt})
- err = server.verifyTLSConnection(state)
- assert.NoError(t, err)
- crt, err = tls.X509KeyPair([]byte(client2Crt), []byte(client2Key))
- assert.NoError(t, err)
- x509crtRevoked, err := x509.ParseCertificate(crt.Certificate[0])
- assert.NoError(t, err)
- state.VerifiedChains = append(state.VerifiedChains, []*x509.Certificate{x509crtRevoked, x509CAcrt})
- state.PeerCertificates = []*x509.Certificate{x509crtRevoked}
- err = server.verifyTLSConnection(state)
- assert.EqualError(t, err, common.ErrCrtRevoked.Error())
- err = os.Remove(caCrlPath)
- assert.NoError(t, err)
- err = os.Remove(certPath)
- assert.NoError(t, err)
- err = os.Remove(keyPath)
- assert.NoError(t, err)
- certMgr = oldCertMgr
- }
- func TestGetFolderFromTemplate(t *testing.T) {
- folder := vfs.BaseVirtualFolder{
- MappedPath: "Folder%name%",
- Description: "Folder %name% desc",
- }
- folderName := "folderTemplate"
- folderTemplate := getFolderFromTemplate(folder, folderName)
- require.Equal(t, folderName, folderTemplate.Name)
- require.Equal(t, fmt.Sprintf("Folder%v", folderName), folderTemplate.MappedPath)
- require.Equal(t, fmt.Sprintf("Folder %v desc", folderName), folderTemplate.Description)
- folder.FsConfig.Provider = sdk.CryptedFilesystemProvider
- folder.FsConfig.CryptConfig.Passphrase = kms.NewPlainSecret("%name%")
- folderTemplate = getFolderFromTemplate(folder, folderName)
- require.Equal(t, folderName, folderTemplate.FsConfig.CryptConfig.Passphrase.GetPayload())
- folder.FsConfig.Provider = sdk.GCSFilesystemProvider
- folder.FsConfig.GCSConfig.KeyPrefix = "prefix%name%/"
- folderTemplate = getFolderFromTemplate(folder, folderName)
- require.Equal(t, fmt.Sprintf("prefix%v/", folderName), folderTemplate.FsConfig.GCSConfig.KeyPrefix)
- folder.FsConfig.Provider = sdk.AzureBlobFilesystemProvider
- folder.FsConfig.AzBlobConfig.KeyPrefix = "a%name%"
- folder.FsConfig.AzBlobConfig.AccountKey = kms.NewPlainSecret("pwd%name%")
- folderTemplate = getFolderFromTemplate(folder, folderName)
- require.Equal(t, "a"+folderName, folderTemplate.FsConfig.AzBlobConfig.KeyPrefix)
- require.Equal(t, "pwd"+folderName, folderTemplate.FsConfig.AzBlobConfig.AccountKey.GetPayload())
- folder.FsConfig.Provider = sdk.SFTPFilesystemProvider
- folder.FsConfig.SFTPConfig.Prefix = "%name%"
- folder.FsConfig.SFTPConfig.Username = "sftp_%name%"
- folder.FsConfig.SFTPConfig.Password = kms.NewPlainSecret("sftp%name%")
- folderTemplate = getFolderFromTemplate(folder, folderName)
- require.Equal(t, folderName, folderTemplate.FsConfig.SFTPConfig.Prefix)
- require.Equal(t, "sftp_"+folderName, folderTemplate.FsConfig.SFTPConfig.Username)
- require.Equal(t, "sftp"+folderName, folderTemplate.FsConfig.SFTPConfig.Password.GetPayload())
- }
- func TestGetUserFromTemplate(t *testing.T) {
- user := dataprovider.User{
- BaseUser: sdk.BaseUser{
- Status: 1,
- },
- }
- user.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{
- BaseVirtualFolder: vfs.BaseVirtualFolder{
- Name: "Folder%username%",
- },
- })
- username := "userTemplate"
- password := "pwdTemplate"
- templateFields := userTemplateFields{
- Username: username,
- Password: password,
- }
- userTemplate := getUserFromTemplate(user, templateFields)
- require.Len(t, userTemplate.VirtualFolders, 1)
- require.Equal(t, "Folder"+username, userTemplate.VirtualFolders[0].Name)
- user.FsConfig.Provider = sdk.CryptedFilesystemProvider
- user.FsConfig.CryptConfig.Passphrase = kms.NewPlainSecret("%password%")
- userTemplate = getUserFromTemplate(user, templateFields)
- require.Equal(t, password, userTemplate.FsConfig.CryptConfig.Passphrase.GetPayload())
- user.FsConfig.Provider = sdk.GCSFilesystemProvider
- user.FsConfig.GCSConfig.KeyPrefix = "%username%%password%"
- userTemplate = getUserFromTemplate(user, templateFields)
- require.Equal(t, username+password, userTemplate.FsConfig.GCSConfig.KeyPrefix)
- user.FsConfig.Provider = sdk.AzureBlobFilesystemProvider
- user.FsConfig.AzBlobConfig.KeyPrefix = "a%username%"
- user.FsConfig.AzBlobConfig.AccountKey = kms.NewPlainSecret("pwd%password%%username%")
- userTemplate = getUserFromTemplate(user, templateFields)
- require.Equal(t, "a"+username, userTemplate.FsConfig.AzBlobConfig.KeyPrefix)
- require.Equal(t, "pwd"+password+username, userTemplate.FsConfig.AzBlobConfig.AccountKey.GetPayload())
- user.FsConfig.Provider = sdk.SFTPFilesystemProvider
- user.FsConfig.SFTPConfig.Prefix = "%username%"
- user.FsConfig.SFTPConfig.Username = "sftp_%username%"
- user.FsConfig.SFTPConfig.Password = kms.NewPlainSecret("sftp%password%")
- userTemplate = getUserFromTemplate(user, templateFields)
- require.Equal(t, username, userTemplate.FsConfig.SFTPConfig.Prefix)
- require.Equal(t, "sftp_"+username, userTemplate.FsConfig.SFTPConfig.Username)
- require.Equal(t, "sftp"+password, userTemplate.FsConfig.SFTPConfig.Password.GetPayload())
- }
- func TestJWTTokenCleanup(t *testing.T) {
- server := httpdServer{
- tokenAuth: jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil),
- }
- admin := dataprovider.Admin{
- Username: "newtestadmin",
- Password: "password",
- Permissions: []string{dataprovider.PermAdminAny},
- }
- claims := make(map[string]any)
- claims[claimUsernameKey] = admin.Username
- claims[claimPermissionsKey] = admin.Permissions
- claims[jwt.SubjectKey] = admin.GetSignature()
- claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute)
- _, token, err := server.tokenAuth.Encode(claims)
- assert.NoError(t, err)
- req, _ := http.NewRequest(http.MethodGet, versionPath, nil)
- assert.True(t, isTokenInvalidated(req))
- req.Header.Set("Authorization", fmt.Sprintf("Bearer %v", token))
- invalidatedJWTTokens.Add(token, time.Now().Add(-tokenDuration).UTC())
- require.True(t, isTokenInvalidated(req))
- startCleanupTicker(100 * time.Millisecond)
- assert.Eventually(t, func() bool { return !isTokenInvalidated(req) }, 1*time.Second, 200*time.Millisecond)
- stopCleanupTicker()
- }
- func TestDbTokenManager(t *testing.T) {
- if !isSharedProviderSupported() {
- t.Skip("this test it is not available with this provider")
- }
- mgr := newTokenManager(1)
- dbTokenManager := mgr.(*dbTokenManager)
- testToken := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsiV2ViQWRtaW4iLCI6OjEiXSwiZXhwIjoxNjk4NjYwMDM4LCJqdGkiOiJja3ZuazVrYjF1aHUzZXRmZmhyZyIsIm5iZiI6MTY5ODY1ODgwOCwicGVybWlzc2lvbnMiOlsiKiJdLCJzdWIiOiIxNjk3ODIwNDM3NTMyIiwidXNlcm5hbWUiOiJhZG1pbiJ9.LXuFFksvnSuzHqHat6r70yR0jEulNRju7m7SaWrOfy8; csrftoken=mP0C7DqjwpAXsptO2gGCaYBkYw3oNMWB"
- key := dbTokenManager.getKey(testToken)
- require.Len(t, key, 64)
- dbTokenManager.Add(testToken, time.Now().Add(-tokenDuration).UTC())
- isInvalidated := dbTokenManager.Get(testToken)
- assert.True(t, isInvalidated)
- dbTokenManager.Cleanup()
- isInvalidated = dbTokenManager.Get(testToken)
- assert.False(t, isInvalidated)
- dbTokenManager.Add(testToken, time.Now().Add(tokenDuration).UTC())
- isInvalidated = dbTokenManager.Get(testToken)
- assert.True(t, isInvalidated)
- dbTokenManager.Cleanup()
- isInvalidated = dbTokenManager.Get(testToken)
- assert.True(t, isInvalidated)
- err := dataprovider.DeleteSharedSession(key)
- assert.NoError(t, err)
- }
- func TestAllowedProxyUnixDomainSocket(t *testing.T) {
- b := Binding{
- Address: filepath.Join(os.TempDir(), "sock"),
- ProxyAllowed: []string{"127.0.0.1", "127.0.1.1"},
- }
- err := b.parseAllowedProxy()
- assert.NoError(t, err)
- if assert.Len(t, b.allowHeadersFrom, 1) {
- assert.True(t, b.allowHeadersFrom[0](nil))
- }
- }
- func TestProxyHeaders(t *testing.T) {
- username := "adminTest"
- password := "testPwd"
- admin := dataprovider.Admin{
- Username: username,
- Password: password,
- Permissions: []string{dataprovider.PermAdminAny},
- Status: 1,
- Filters: dataprovider.AdminFilters{
- AllowList: []string{"172.19.2.0/24"},
- },
- }
- err := dataprovider.AddAdmin(&admin, "", "", "")
- assert.NoError(t, err)
- testIP := "10.29.1.9"
- validForwardedFor := "172.19.2.6"
- b := Binding{
- Address: "",
- Port: 8080,
- EnableWebAdmin: true,
- EnableWebClient: false,
- EnableRESTAPI: true,
- ProxyAllowed: []string{testIP, "10.8.0.0/30"},
- ClientIPProxyHeader: "x-forwarded-for",
- }
- err = b.parseAllowedProxy()
- assert.NoError(t, err)
- server := newHttpdServer(b, "", "", CorsConfig{Enabled: true}, "")
- server.initializeRouter()
- testServer := httptest.NewServer(server.router)
- defer testServer.Close()
- req, err := http.NewRequest(http.MethodGet, tokenPath, nil)
- assert.NoError(t, err)
- req.Header.Set("X-Forwarded-For", validForwardedFor)
- req.Header.Set(xForwardedProto, "https")
- req.RemoteAddr = "127.0.0.1:123"
- req.SetBasicAuth(username, password)
- rr := httptest.NewRecorder()
- testServer.Config.Handler.ServeHTTP(rr, req)
- assert.Equal(t, http.StatusUnauthorized, rr.Code)
- assert.Contains(t, rr.Body.String(), "login from IP 127.0.0.1 not allowed")
- req.RemoteAddr = testIP
- rr = httptest.NewRecorder()
- testServer.Config.Handler.ServeHTTP(rr, req)
- assert.Equal(t, http.StatusOK, rr.Code)
- req.RemoteAddr = "10.8.0.2"
- rr = httptest.NewRecorder()
- testServer.Config.Handler.ServeHTTP(rr, req)
- assert.Equal(t, http.StatusOK, rr.Code)
- form := make(url.Values)
- form.Set("username", username)
- form.Set("password", password)
- form.Set(csrfFormToken, createCSRFToken(testIP))
- req, err = http.NewRequest(http.MethodPost, webAdminLoginPath, bytes.NewBuffer([]byte(form.Encode())))
- assert.NoError(t, err)
- req.RemoteAddr = testIP
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- rr = httptest.NewRecorder()
- testServer.Config.Handler.ServeHTTP(rr, req)
- assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
- assert.Contains(t, rr.Body.String(), "login from IP 10.29.1.9 not allowed")
- form.Set(csrfFormToken, createCSRFToken(validForwardedFor))
- req, err = http.NewRequest(http.MethodPost, webAdminLoginPath, bytes.NewBuffer([]byte(form.Encode())))
- assert.NoError(t, err)
- req.RemoteAddr = testIP
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- req.Header.Set("X-Forwarded-For", validForwardedFor)
- rr = httptest.NewRecorder()
- testServer.Config.Handler.ServeHTTP(rr, req)
- assert.Equal(t, http.StatusFound, rr.Code, rr.Body.String())
- cookie := rr.Header().Get("Set-Cookie")
- assert.NotContains(t, cookie, "Secure")
- req, err = http.NewRequest(http.MethodPost, webAdminLoginPath, bytes.NewBuffer([]byte(form.Encode())))
- assert.NoError(t, err)
- req.RemoteAddr = testIP
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- req.Header.Set("X-Forwarded-For", validForwardedFor)
- req.Header.Set(xForwardedProto, "https")
- rr = httptest.NewRecorder()
- testServer.Config.Handler.ServeHTTP(rr, req)
- assert.Equal(t, http.StatusFound, rr.Code, rr.Body.String())
- cookie = rr.Header().Get("Set-Cookie")
- assert.Contains(t, cookie, "Secure")
- req, err = http.NewRequest(http.MethodPost, webAdminLoginPath, bytes.NewBuffer([]byte(form.Encode())))
- assert.NoError(t, err)
- req.RemoteAddr = testIP
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- req.Header.Set("X-Forwarded-For", validForwardedFor)
- req.Header.Set(xForwardedProto, "http")
- rr = httptest.NewRecorder()
- testServer.Config.Handler.ServeHTTP(rr, req)
- assert.Equal(t, http.StatusFound, rr.Code, rr.Body.String())
- cookie = rr.Header().Get("Set-Cookie")
- assert.NotContains(t, cookie, "Secure")
- err = dataprovider.DeleteAdmin(username, "", "", "")
- assert.NoError(t, err)
- }
- func TestRecoverer(t *testing.T) {
- recoveryPath := "/recovery"
- b := Binding{
- Address: "",
- Port: 8080,
- EnableWebAdmin: true,
- EnableWebClient: false,
- EnableRESTAPI: true,
- }
- server := newHttpdServer(b, "../static", "", CorsConfig{}, "../openapi")
- server.initializeRouter()
- server.router.Get(recoveryPath, func(w http.ResponseWriter, r *http.Request) {
- panic("panic")
- })
- testServer := httptest.NewServer(server.router)
- defer testServer.Close()
- req, err := http.NewRequest(http.MethodGet, recoveryPath, nil)
- assert.NoError(t, err)
- rr := httptest.NewRecorder()
- testServer.Config.Handler.ServeHTTP(rr, req)
- assert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String())
- server.router = chi.NewRouter()
- server.router.Use(middleware.Recoverer)
- server.router.Get(recoveryPath, func(w http.ResponseWriter, r *http.Request) {
- panic("panic")
- })
- testServer = httptest.NewServer(server.router)
- defer testServer.Close()
- req, err = http.NewRequest(http.MethodGet, recoveryPath, nil)
- assert.NoError(t, err)
- rr = httptest.NewRecorder()
- testServer.Config.Handler.ServeHTTP(rr, req)
- assert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String())
- }
- func TestCompressorAbortHandler(t *testing.T) {
- defer func() {
- rcv := recover()
- assert.Equal(t, http.ErrAbortHandler, rcv)
- }()
- connection := &Connection{
- BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", dataprovider.User{}),
- request: nil,
- }
- share := &dataprovider.Share{}
- renderCompressedFiles(&failingWriter{}, connection, "", nil, share)
- }
- func TestZipErrors(t *testing.T) {
- user := dataprovider.User{
- BaseUser: sdk.BaseUser{
- HomeDir: filepath.Clean(os.TempDir()),
- },
- }
- user.Permissions = make(map[string][]string)
- user.Permissions["/"] = []string{dataprovider.PermAny}
- connection := &Connection{
- BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", user),
- request: nil,
- }
- testDir := filepath.Join(os.TempDir(), "testDir")
- err := os.MkdirAll(testDir, os.ModePerm)
- assert.NoError(t, err)
- wr := zip.NewWriter(&failingWriter{})
- err = wr.Close()
- if assert.Error(t, err) {
- assert.Contains(t, err.Error(), "write error")
- }
- err = addZipEntry(wr, connection, "/"+filepath.Base(testDir), "/")
- if assert.Error(t, err) {
- assert.Contains(t, err.Error(), "write error")
- }
- err = addZipEntry(wr, connection, "/"+filepath.Base(testDir), path.Join("/", filepath.Base(testDir), "dir"))
- if assert.Error(t, err) {
- assert.Contains(t, err.Error(), "is outside base dir")
- }
- testFilePath := filepath.Join(testDir, "ziptest.zip")
- err = os.WriteFile(testFilePath, util.GenerateRandomBytes(65535), os.ModePerm)
- assert.NoError(t, err)
- err = addZipEntry(wr, connection, path.Join("/", filepath.Base(testDir), filepath.Base(testFilePath)),
- "/"+filepath.Base(testDir))
- if assert.Error(t, err) {
- assert.Contains(t, err.Error(), "write error")
- }
- connection.User.Permissions["/"] = []string{dataprovider.PermListItems}
- err = addZipEntry(wr, connection, path.Join("/", filepath.Base(testDir), filepath.Base(testFilePath)),
- "/"+filepath.Base(testDir))
- assert.ErrorIs(t, err, os.ErrPermission)
- // creating a virtual folder to a missing path stat is ok but readdir fails
- user.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{
- BaseVirtualFolder: vfs.BaseVirtualFolder{
- MappedPath: filepath.Join(os.TempDir(), "mapped"),
- },
- VirtualPath: "/vpath",
- })
- connection.User = user
- wr = zip.NewWriter(bytes.NewBuffer(make([]byte, 0)))
- err = addZipEntry(wr, connection, user.VirtualFolders[0].VirtualPath, "/")
- assert.Error(t, err)
- user.Filters.FilePatterns = append(user.Filters.FilePatterns, sdk.PatternsFilter{
- Path: "/",
- DeniedPatterns: []string{"*.zip"},
- })
- err = addZipEntry(wr, connection, "/"+filepath.Base(testDir), "/")
- assert.ErrorIs(t, err, os.ErrPermission)
- err = os.RemoveAll(testDir)
- assert.NoError(t, err)
- }
- func TestWebAdminRedirect(t *testing.T) {
- b := Binding{
- Address: "",
- Port: 8080,
- EnableWebAdmin: true,
- EnableWebClient: false,
- EnableRESTAPI: true,
- }
- server := newHttpdServer(b, "../static", "", CorsConfig{}, "../openapi")
- server.initializeRouter()
- testServer := httptest.NewServer(server.router)
- defer testServer.Close()
- req, err := http.NewRequest(http.MethodGet, webRootPath, nil)
- assert.NoError(t, err)
- rr := httptest.NewRecorder()
- testServer.Config.Handler.ServeHTTP(rr, req)
- assert.Equal(t, http.StatusFound, rr.Code, rr.Body.String())
- assert.Equal(t, webAdminLoginPath, rr.Header().Get("Location"))
- req, err = http.NewRequest(http.MethodGet, webBasePath, nil)
- assert.NoError(t, err)
- rr = httptest.NewRecorder()
- testServer.Config.Handler.ServeHTTP(rr, req)
- assert.Equal(t, http.StatusFound, rr.Code, rr.Body.String())
- assert.Equal(t, webAdminLoginPath, rr.Header().Get("Location"))
- }
- func TestParseRangeRequests(t *testing.T) {
- // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=24-24"
- fileSize := int64(169740)
- rangeHeader := "bytes=24-24"
- offset, size, err := parseRangeRequest(rangeHeader[6:], fileSize)
- require.NoError(t, err)
- resp := fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
- assert.Equal(t, "bytes 24-24/169740", resp)
- require.Equal(t, int64(1), size)
- // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=24-"
- rangeHeader = "bytes=24-"
- offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
- require.NoError(t, err)
- resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
- assert.Equal(t, "bytes 24-169739/169740", resp)
- require.Equal(t, int64(169716), size)
- // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=-1"
- rangeHeader = "bytes=-1"
- offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
- require.NoError(t, err)
- resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
- assert.Equal(t, "bytes 169739-169739/169740", resp)
- require.Equal(t, int64(1), size)
- // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=-100"
- rangeHeader = "bytes=-100"
- offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
- require.NoError(t, err)
- resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
- assert.Equal(t, "bytes 169640-169739/169740", resp)
- require.Equal(t, int64(100), size)
- // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=20-30"
- rangeHeader = "bytes=20-30"
- offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
- require.NoError(t, err)
- resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
- assert.Equal(t, "bytes 20-30/169740", resp)
- require.Equal(t, int64(11), size)
- // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=20-169739"
- rangeHeader = "bytes=20-169739"
- offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
- require.NoError(t, err)
- resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
- assert.Equal(t, "bytes 20-169739/169740", resp)
- require.Equal(t, int64(169720), size)
- // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=20-169740"
- rangeHeader = "bytes=20-169740"
- offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
- require.NoError(t, err)
- resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
- assert.Equal(t, "bytes 20-169739/169740", resp)
- require.Equal(t, int64(169720), size)
- // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=20-169741"
- rangeHeader = "bytes=20-169741"
- offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
- require.NoError(t, err)
- resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
- assert.Equal(t, "bytes 20-169739/169740", resp)
- require.Equal(t, int64(169720), size)
- //curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=0-" > /dev/null
- rangeHeader = "bytes=0-"
- offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
- require.NoError(t, err)
- resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
- assert.Equal(t, "bytes 0-169739/169740", resp)
- require.Equal(t, int64(169740), size)
- // now test errors
- rangeHeader = "bytes=0-a"
- _, _, err = parseRangeRequest(rangeHeader[6:], fileSize)
- require.Error(t, err)
- rangeHeader = "bytes="
- _, _, err = parseRangeRequest(rangeHeader[6:], fileSize)
- require.Error(t, err)
- rangeHeader = "bytes=-"
- _, _, err = parseRangeRequest(rangeHeader[6:], fileSize)
- require.Error(t, err)
- rangeHeader = "bytes=500-300"
- _, _, err = parseRangeRequest(rangeHeader[6:], fileSize)
- require.Error(t, err)
- rangeHeader = "bytes=5000000"
- _, _, err = parseRangeRequest(rangeHeader[6:], fileSize)
- require.Error(t, err)
- }
- func TestRequestHeaderErrors(t *testing.T) {
- req, _ := http.NewRequest(http.MethodGet, webClientFilesPath, nil)
- req.Header.Set("If-Unmodified-Since", "not a date")
- res := checkIfUnmodifiedSince(req, time.Now())
- assert.Equal(t, condNone, res)
- req, _ = http.NewRequest(http.MethodPost, webClientFilesPath, nil)
- res = checkIfModifiedSince(req, time.Now())
- assert.Equal(t, condNone, res)
- req, _ = http.NewRequest(http.MethodPost, webClientFilesPath, nil)
- res = checkIfRange(req, time.Now())
- assert.Equal(t, condNone, res)
- req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
- req.Header.Set("If-Modified-Since", "not a date")
- res = checkIfModifiedSince(req, time.Now())
- assert.Equal(t, condNone, res)
- req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
- req.Header.Set("If-Range", time.Now().Format(http.TimeFormat))
- res = checkIfRange(req, time.Time{})
- assert.Equal(t, condFalse, res)
- req.Header.Set("If-Range", "invalid if range date")
- res = checkIfRange(req, time.Now())
- assert.Equal(t, condFalse, res)
- modTime := getFileObjectModTime(time.Time{})
- assert.Empty(t, modTime)
- }
- func TestConnection(t *testing.T) {
- user := dataprovider.User{
- BaseUser: sdk.BaseUser{
- Username: "test_httpd_user",
- HomeDir: filepath.Clean(os.TempDir()),
- },
- FsConfig: vfs.Filesystem{
- Provider: sdk.GCSFilesystemProvider,
- GCSConfig: vfs.GCSFsConfig{
- BaseGCSFsConfig: sdk.BaseGCSFsConfig{
- Bucket: "test_bucket_name",
- },
- Credentials: kms.NewPlainSecret("invalid JSON payload"),
- },
- },
- }
- user.Permissions = make(map[string][]string)
- user.Permissions["/"] = []string{dataprovider.PermAny}
- connection := &Connection{
- BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", user),
- request: nil,
- }
- assert.Empty(t, connection.GetClientVersion())
- assert.Empty(t, connection.GetRemoteAddress())
- assert.Empty(t, connection.GetCommand())
- name := "missing file name"
- _, err := connection.getFileReader(name, 0, http.MethodGet)
- assert.Error(t, err)
- connection.User.FsConfig.Provider = sdk.LocalFilesystemProvider
- _, err = connection.getFileReader(name, 0, http.MethodGet)
- assert.ErrorIs(t, err, os.ErrNotExist)
- }
- func TestGetFileWriterErrors(t *testing.T) {
- user := dataprovider.User{
- BaseUser: sdk.BaseUser{
- Username: "test_httpd_user",
- HomeDir: "invalid",
- },
- }
- user.Permissions = make(map[string][]string)
- user.Permissions["/"] = []string{dataprovider.PermAny}
- connection := &Connection{
- BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", user),
- request: nil,
- }
- _, err := connection.getFileWriter("name")
- assert.Error(t, err)
- user.FsConfig.Provider = sdk.S3FilesystemProvider
- user.FsConfig.S3Config = vfs.S3FsConfig{
- BaseS3FsConfig: sdk.BaseS3FsConfig{
- Bucket: "b",
- Region: "us-west-1",
- AccessKey: "key",
- },
- AccessSecret: kms.NewPlainSecret("secret"),
- }
- connection = &Connection{
- BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", user),
- request: nil,
- }
- _, err = connection.getFileWriter("/path")
- assert.Error(t, err)
- }
- func TestThrottledHandler(t *testing.T) {
- tr := &throttledReader{
- r: io.NopCloser(bytes.NewBuffer(nil)),
- }
- assert.Equal(t, int64(0), tr.GetTruncatedSize())
- err := tr.Close()
- assert.NoError(t, err)
- assert.Empty(t, tr.GetRealFsPath("real path"))
- assert.False(t, tr.SetTimes("p", time.Now(), time.Now()))
- _, err = tr.Truncate("", 0)
- assert.ErrorIs(t, err, vfs.ErrVfsUnsupported)
- err = tr.GetAbortError()
- assert.ErrorIs(t, err, common.ErrTransferAborted)
- }
- func TestHTTPDFile(t *testing.T) {
- user := dataprovider.User{
- BaseUser: sdk.BaseUser{
- Username: "test_httpd_user",
- HomeDir: filepath.Clean(os.TempDir()),
- },
- }
- user.Permissions = make(map[string][]string)
- user.Permissions["/"] = []string{dataprovider.PermAny}
- connection := &Connection{
- BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", user),
- request: nil,
- }
- fs, err := user.GetFilesystem("")
- assert.NoError(t, err)
- name := "fileName"
- p := filepath.Join(os.TempDir(), name)
- err = os.WriteFile(p, []byte("contents"), os.ModePerm)
- assert.NoError(t, err)
- file, err := os.Open(p)
- assert.NoError(t, err)
- err = file.Close()
- assert.NoError(t, err)
- baseTransfer := common.NewBaseTransfer(file, connection.BaseConnection, nil, p, p, name, common.TransferDownload,
- 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})
- httpdFile := newHTTPDFile(baseTransfer, nil, nil)
- // the file is closed, read should fail
- buf := make([]byte, 100)
- _, err = httpdFile.Read(buf)
- assert.Error(t, err)
- err = httpdFile.Close()
- assert.Error(t, err)
- err = httpdFile.Close()
- assert.ErrorIs(t, err, common.ErrTransferClosed)
- err = os.Remove(p)
- assert.NoError(t, err)
- httpdFile.writer = file
- httpdFile.File = nil
- httpdFile.ErrTransfer = nil
- err = httpdFile.closeIO()
- assert.Error(t, err)
- assert.Error(t, httpdFile.ErrTransfer)
- assert.Equal(t, err, httpdFile.ErrTransfer)
- httpdFile.SignalClose(nil)
- _, err = httpdFile.Write(nil)
- assert.ErrorIs(t, err, common.ErrQuotaExceeded)
- }
- func TestChangeUserPwd(t *testing.T) {
- req, _ := http.NewRequest(http.MethodPost, webChangeClientPwdPath, nil)
- err := doChangeUserPassword(req, "", "", "")
- if assert.Error(t, err) {
- assert.Contains(t, err.Error(), "please provide the current password and the new one two times")
- }
- err = doChangeUserPassword(req, "a", "b", "c")
- if assert.Error(t, err) {
- assert.Contains(t, err.Error(), "the two password fields do not match")
- }
- err = doChangeUserPassword(req, "a", "b", "b")
- if assert.Error(t, err) {
- assert.Contains(t, err.Error(), "invalid token claims")
- }
- }
- func TestWebUserInvalidClaims(t *testing.T) {
- server := httpdServer{}
- server.initializeRouter()
- rr := httptest.NewRecorder()
- user := dataprovider.User{
- BaseUser: sdk.BaseUser{
- Username: "",
- Password: "pwd",
- },
- }
- c := jwtTokenClaims{
- Username: user.Username,
- Permissions: nil,
- Signature: user.GetSignature(),
- }
- token, err := c.createTokenResponse(server.tokenAuth, tokenAudienceWebClient, "")
- assert.NoError(t, err)
- req, _ := http.NewRequest(http.MethodGet, webClientFilesPath, nil)
- req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
- server.handleClientGetFiles(rr, req)
- assert.Equal(t, http.StatusForbidden, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- req, _ = http.NewRequest(http.MethodGet, webClientDirsPath, nil)
- req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
- server.handleClientGetDirContents(rr, req)
- assert.Equal(t, http.StatusForbidden, rr.Code)
- assert.Contains(t, rr.Body.String(), "invalid token claims")
- rr = httptest.NewRecorder()
- req, _ = http.NewRequest(http.MethodGet, webClientDownloadZipPath, nil)
- req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
- server.handleWebClientDownloadZip(rr, req)
- assert.Equal(t, http.StatusForbidden, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- req, _ = http.NewRequest(http.MethodGet, webClientEditFilePath, nil)
- req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
- server.handleClientEditFile(rr, req)
- assert.Equal(t, http.StatusForbidden, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- req, _ = http.NewRequest(http.MethodGet, webClientSharePath, nil)
- req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
- server.handleClientAddShareGet(rr, req)
- assert.Equal(t, http.StatusForbidden, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- req, _ = http.NewRequest(http.MethodGet, webClientSharePath, nil)
- req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
- server.handleClientUpdateShareGet(rr, req)
- assert.Equal(t, http.StatusForbidden, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- req, _ = http.NewRequest(http.MethodPost, webClientSharePath, nil)
- req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
- server.handleClientAddSharePost(rr, req)
- assert.Equal(t, http.StatusForbidden, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- req, _ = http.NewRequest(http.MethodPost, webClientSharePath+"/id", nil)
- req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
- server.handleClientUpdateSharePost(rr, req)
- assert.Equal(t, http.StatusForbidden, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- req, _ = http.NewRequest(http.MethodGet, webClientSharesPath, nil)
- req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
- server.handleClientGetShares(rr, req)
- assert.Equal(t, http.StatusForbidden, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- rr = httptest.NewRecorder()
- req, _ = http.NewRequest(http.MethodGet, webClientViewPDFPath, nil)
- req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
- server.handleClientGetPDF(rr, req)
- assert.Equal(t, http.StatusForbidden, rr.Code)
- assert.Contains(t, rr.Body.String(), "Invalid token claims")
- }
- func TestInvalidClaims(t *testing.T) {
- server := httpdServer{}
- server.initializeRouter()
- rr := httptest.NewRecorder()
- user := dataprovider.User{
- BaseUser: sdk.BaseUser{
- Username: "",
- Password: "pwd",
- },
- }
- c := jwtTokenClaims{
- Username: user.Username,
- Permissions: nil,
- Signature: user.GetSignature(),
- }
- token, err := c.createTokenResponse(server.tokenAuth, tokenAudienceWebClient, "")
- assert.NoError(t, err)
- form := make(url.Values)
- form.Set(csrfFormToken, createCSRFToken(""))
- form.Set("public_keys", "")
- req, _ := http.NewRequest(http.MethodPost, webClientProfilePath, bytes.NewBuffer([]byte(form.Encode())))
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
- server.handleWebClientProfilePost(rr, req)
- assert.Equal(t, http.StatusForbidden, rr.Code)
- admin := dataprovider.Admin{
- Username: "",
- Password: user.Password,
- }
- c = jwtTokenClaims{
- Username: admin.Username,
- Permissions: nil,
- Signature: admin.GetSignature(),
- }
- token, err = c.createTokenResponse(server.tokenAuth, tokenAudienceWebAdmin, "")
- assert.NoError(t, err)
- form = make(url.Values)
- form.Set(csrfFormToken, createCSRFToken(""))
- form.Set("allow_api_key_auth", "")
- req, _ = http.NewRequest(http.MethodPost, webAdminProfilePath, bytes.NewBuffer([]byte(form.Encode())))
- req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
- server.handleWebAdminProfilePost(rr, req)
- assert.Equal(t, http.StatusForbidden, rr.Code)
- }
- func TestTLSReq(t *testing.T) {
- req, err := http.NewRequest(http.MethodGet, webClientLoginPath, nil)
- assert.NoError(t, err)
- req.TLS = &tls.ConnectionState{}
- assert.True(t, isTLS(req))
- req.TLS = nil
- ctx := context.WithValue(req.Context(), forwardedProtoKey, "https")
- assert.True(t, isTLS(req.WithContext(ctx)))
- ctx = context.WithValue(req.Context(), forwardedProtoKey, "http")
- assert.False(t, isTLS(req.WithContext(ctx)))
- assert.Equal(t, "context value forwarded proto", forwardedProtoKey.String())
- }
- func TestSigningKey(t *testing.T) {
- signingPassphrase := "test"
- server1 := httpdServer{
- signingPassphrase: signingPassphrase,
- }
- server1.initializeRouter()
- server2 := httpdServer{
- signingPassphrase: signingPassphrase,
- }
- server2.initializeRouter()
- user := dataprovider.User{
- BaseUser: sdk.BaseUser{
- Username: "",
- Password: "pwd",
- },
- }
- c := jwtTokenClaims{
- Username: user.Username,
- Permissions: nil,
- Signature: user.GetSignature(),
- }
- token, err := c.createTokenResponse(server1.tokenAuth, tokenAudienceWebClient, "")
- assert.NoError(t, err)
- accessToken := token["access_token"].(string)
- assert.NotEmpty(t, accessToken)
- _, err = server1.tokenAuth.Decode(accessToken)
- assert.NoError(t, err)
- _, err = server2.tokenAuth.Decode(accessToken)
- assert.NoError(t, err)
- }
- func TestLoginLinks(t *testing.T) {
- b := Binding{
- EnableWebAdmin: true,
- EnableWebClient: false,
- EnableRESTAPI: true,
- }
- assert.False(t, b.showClientLoginURL())
- b = Binding{
- EnableWebAdmin: false,
- EnableWebClient: true,
- EnableRESTAPI: true,
- }
- assert.False(t, b.showAdminLoginURL())
- b = Binding{
- EnableWebAdmin: true,
- EnableWebClient: true,
- EnableRESTAPI: true,
- }
- assert.True(t, b.showAdminLoginURL())
- assert.True(t, b.showClientLoginURL())
- b.HideLoginURL = 3
- assert.False(t, b.showAdminLoginURL())
- assert.False(t, b.showClientLoginURL())
- b.HideLoginURL = 1
- assert.True(t, b.showAdminLoginURL())
- assert.False(t, b.showClientLoginURL())
- b.HideLoginURL = 2
- assert.False(t, b.showAdminLoginURL())
- assert.True(t, b.showClientLoginURL())
- }
- func TestResetCodesCleanup(t *testing.T) {
- resetCode := newResetCode(util.GenerateUniqueID(), false)
- resetCode.ExpiresAt = time.Now().Add(-1 * time.Minute).UTC()
- err := resetCodesMgr.Add(resetCode)
- assert.NoError(t, err)
- resetCodesMgr.Cleanup()
- _, err = resetCodesMgr.Get(resetCode.Code)
- assert.Error(t, err)
- }
- func TestUserCanResetPassword(t *testing.T) {
- req, err := http.NewRequest(http.MethodGet, webClientLoginPath, nil)
- assert.NoError(t, err)
- req.RemoteAddr = "172.16.9.2:55080"
- u := dataprovider.User{}
- assert.True(t, isUserAllowedToResetPassword(req, &u))
- u.Filters.DeniedProtocols = []string{common.ProtocolHTTP}
- assert.False(t, isUserAllowedToResetPassword(req, &u))
- u.Filters.DeniedProtocols = nil
- u.Filters.WebClient = []string{sdk.WebClientPasswordResetDisabled}
- assert.False(t, isUserAllowedToResetPassword(req, &u))
- u.Filters.WebClient = nil
- u.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodPassword}
- assert.False(t, isUserAllowedToResetPassword(req, &u))
- u.Filters.DeniedLoginMethods = nil
- u.Filters.AllowedIP = []string{"127.0.0.1/8"}
- assert.False(t, isUserAllowedToResetPassword(req, &u))
- }
- func TestMetadataAPI(t *testing.T) {
- username := "metadatauser"
- assert.False(t, common.ActiveMetadataChecks.Remove(username))
- user := dataprovider.User{
- BaseUser: sdk.BaseUser{
- Username: username,
- Password: "metadata_pwd",
- HomeDir: filepath.Join(os.TempDir(), username),
- Status: 1,
- },
- }
- user.Permissions = make(map[string][]string)
- user.Permissions["/"] = []string{dataprovider.PermAny}
- err := dataprovider.AddUser(&user, "", "", "")
- assert.NoError(t, err)
- assert.True(t, common.ActiveMetadataChecks.Add(username, ""))
- tokenAuth := jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil)
- claims := make(map[string]any)
- claims["username"] = defaultAdminUsername
- claims[jwt.ExpirationKey] = time.Now().UTC().Add(1 * time.Hour)
- token, _, err := tokenAuth.Encode(claims)
- assert.NoError(t, err)
- req, err := http.NewRequest(http.MethodPost, path.Join(metadataBasePath, username, "check"), nil)
- assert.NoError(t, err)
- rctx := chi.NewRouteContext()
- rctx.URLParams.Add("username", username)
- req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
- req = req.WithContext(context.WithValue(req.Context(), jwtauth.TokenCtxKey, token))
- rr := httptest.NewRecorder()
- startMetadataCheck(rr, req)
- assert.Equal(t, http.StatusConflict, rr.Code, rr.Body.String())
- assert.True(t, common.ActiveMetadataChecks.Remove(username))
- assert.Len(t, common.ActiveMetadataChecks.Get(""), 0)
- err = dataprovider.DeleteUser(username, "", "", "")
- assert.NoError(t, err)
- user.FsConfig.Provider = sdk.AzureBlobFilesystemProvider
- err = doMetadataCheck(user)
- assert.Error(t, err)
- }
- func TestBrowsableSharePaths(t *testing.T) {
- share := dataprovider.Share{
- Paths: []string{"/"},
- Username: defaultAdminUsername,
- }
- _, err := getUserForShare(share)
- if assert.Error(t, err) {
- assert.ErrorIs(t, err, util.ErrNotFound)
- }
- req, err := http.NewRequest(http.MethodGet, "/share", nil)
- require.NoError(t, err)
- name, err := getBrowsableSharedPath(share, req)
- assert.NoError(t, err)
- assert.Equal(t, "/", name)
- req, err = http.NewRequest(http.MethodGet, "/share?path=abc", nil)
- require.NoError(t, err)
- name, err = getBrowsableSharedPath(share, req)
- assert.NoError(t, err)
- assert.Equal(t, "/abc", name)
- share.Paths = []string{"/a/b/c"}
- req, err = http.NewRequest(http.MethodGet, "/share?path=abc", nil)
- require.NoError(t, err)
- name, err = getBrowsableSharedPath(share, req)
- assert.NoError(t, err)
- assert.Equal(t, "/a/b/c/abc", name)
- req, err = http.NewRequest(http.MethodGet, "/share?path=%2Fabc/d", nil)
- require.NoError(t, err)
- name, err = getBrowsableSharedPath(share, req)
- assert.NoError(t, err)
- assert.Equal(t, "/a/b/c/abc/d", name)
- req, err = http.NewRequest(http.MethodGet, "/share?path=%2Fabc%2F..%2F..", nil)
- require.NoError(t, err)
- _, err = getBrowsableSharedPath(share, req)
- assert.Error(t, err)
- req, err = http.NewRequest(http.MethodGet, "/share?path=%2Fabc%2F..", nil)
- require.NoError(t, err)
- name, err = getBrowsableSharedPath(share, req)
- assert.NoError(t, err)
- assert.Equal(t, "/a/b/c", name)
- share = dataprovider.Share{
- Paths: []string{"/a", "/b"},
- }
- }
- func TestSecureMiddlewareIntegration(t *testing.T) {
- forwardedHostHeader := "X-Forwarded-Host"
- server := httpdServer{
- binding: Binding{
- ProxyAllowed: []string{"192.168.1.0/24"},
- Security: SecurityConf{
- Enabled: true,
- AllowedHosts: []string{"*.sftpgo.com"},
- AllowedHostsAreRegex: true,
- HostsProxyHeaders: []string{forwardedHostHeader},
- HTTPSProxyHeaders: []HTTPSProxyHeader{
- {
- Key: xForwardedProto,
- Value: "https",
- },
- },
- STSSeconds: 31536000,
- STSIncludeSubdomains: true,
- STSPreload: true,
- ContentTypeNosniff: true,
- },
- },
- enableWebAdmin: true,
- enableWebClient: true,
- enableRESTAPI: true,
- }
- server.binding.Security.updateProxyHeaders()
- err := server.binding.parseAllowedProxy()
- assert.NoError(t, err)
- assert.Equal(t, []string{forwardedHostHeader, xForwardedProto}, server.binding.Security.proxyHeaders)
- assert.Equal(t, map[string]string{xForwardedProto: "https"}, server.binding.Security.getHTTPSProxyHeaders())
- server.initializeRouter()
- rr := httptest.NewRecorder()
- r, err := http.NewRequest(http.MethodGet, webClientLoginPath, nil)
- assert.NoError(t, err)
- r.Host = "127.0.0.1"
- server.router.ServeHTTP(rr, r)
- assert.Equal(t, http.StatusForbidden, rr.Code)
- rr = httptest.NewRecorder()
- r.Header.Set(forwardedHostHeader, "www.sftpgo.com")
- server.router.ServeHTTP(rr, r)
- assert.Equal(t, http.StatusForbidden, rr.Code)
- // the header should be removed
- assert.Empty(t, r.Header.Get(forwardedHostHeader))
- rr = httptest.NewRecorder()
- r.Host = "test.sftpgo.com"
- r.Header.Set(forwardedHostHeader, "test.example.com")
- r.RemoteAddr = "192.168.1.1"
- server.router.ServeHTTP(rr, r)
- assert.Equal(t, http.StatusForbidden, rr.Code)
- assert.NotEmpty(t, r.Header.Get(forwardedHostHeader))
- rr = httptest.NewRecorder()
- r.Header.Set(forwardedHostHeader, "www.sftpgo.com")
- r.RemoteAddr = "192.168.1.1"
- server.router.ServeHTTP(rr, r)
- assert.Equal(t, http.StatusOK, rr.Code)
- assert.NotEmpty(t, r.Header.Get(forwardedHostHeader))
- assert.Empty(t, rr.Header().Get("Strict-Transport-Security"))
- assert.Equal(t, "nosniff", rr.Header().Get("X-Content-Type-Options"))
- // now set the X-Forwarded-Proto to https, we should get the Strict-Transport-Security header
- rr = httptest.NewRecorder()
- r.Host = "test.sftpgo.com"
- r.Header.Set(xForwardedProto, "https")
- r.RemoteAddr = "192.168.1.3"
- server.router.ServeHTTP(rr, r)
- assert.Equal(t, http.StatusOK, rr.Code)
- assert.NotEmpty(t, r.Header.Get(forwardedHostHeader))
- assert.Equal(t, "max-age=31536000; includeSubDomains; preload", rr.Header().Get("Strict-Transport-Security"))
- assert.Equal(t, "nosniff", rr.Header().Get("X-Content-Type-Options"))
- server.binding.Security.Enabled = false
- server.binding.Security.updateProxyHeaders()
- assert.Len(t, server.binding.Security.proxyHeaders, 0)
- }
- func TestGetCompressedFileName(t *testing.T) {
- username := "test"
- res := getCompressedFileName(username, []string{"single dir"})
- require.Equal(t, fmt.Sprintf("%s-single dir.zip", username), res)
- res = getCompressedFileName(username, []string{"file1", "file2"})
- require.Equal(t, fmt.Sprintf("%s-download.zip", username), res)
- res = getCompressedFileName(username, []string{"file1.txt"})
- require.Equal(t, fmt.Sprintf("%s-file1.zip", username), res)
- // now files with full paths
- res = getCompressedFileName(username, []string{"/dir/single dir"})
- require.Equal(t, fmt.Sprintf("%s-single dir.zip", username), res)
- res = getCompressedFileName(username, []string{"/adir/file1", "/adir/file2"})
- require.Equal(t, fmt.Sprintf("%s-download.zip", username), res)
- res = getCompressedFileName(username, []string{"/sub/dir/file1.txt"})
- require.Equal(t, fmt.Sprintf("%s-file1.zip", username), res)
- }
- func TestRESTAPIDisabled(t *testing.T) {
- server := httpdServer{
- enableWebAdmin: true,
- enableWebClient: true,
- enableRESTAPI: false,
- }
- server.initializeRouter()
- assert.False(t, server.enableRESTAPI)
- rr := httptest.NewRecorder()
- r, err := http.NewRequest(http.MethodGet, healthzPath, nil)
- assert.NoError(t, err)
- server.router.ServeHTTP(rr, r)
- assert.Equal(t, http.StatusOK, rr.Code)
- rr = httptest.NewRecorder()
- r, err = http.NewRequest(http.MethodGet, tokenPath, nil)
- assert.NoError(t, err)
- server.router.ServeHTTP(rr, r)
- assert.Equal(t, http.StatusNotFound, rr.Code)
- }
- func TestWebAdminSetupWithInstallCode(t *testing.T) {
- installationCode = "1234"
- // delete all the admins
- admins, err := dataprovider.GetAdmins(100, 0, dataprovider.OrderASC)
- assert.NoError(t, err)
- for _, admin := range admins {
- err = dataprovider.DeleteAdmin(admin.Username, "", "", "")
- assert.NoError(t, err)
- }
- // close the provider and initializes it without creating the default admin
- providerConf := dataprovider.GetProviderConfig()
- providerConf.CreateDefaultAdmin = false
- err = dataprovider.Close()
- assert.NoError(t, err)
- err = dataprovider.Initialize(providerConf, configDir, true)
- assert.NoError(t, err)
- server := httpdServer{
- enableWebAdmin: true,
- enableWebClient: true,
- enableRESTAPI: true,
- }
- server.initializeRouter()
- rr := httptest.NewRecorder()
- r, err := http.NewRequest(http.MethodGet, webAdminSetupPath, nil)
- assert.NoError(t, err)
- server.router.ServeHTTP(rr, r)
- assert.Equal(t, http.StatusOK, rr.Code)
- for _, webURL := range []string{"/", webBasePath, webBaseAdminPath, webAdminLoginPath, webClientLoginPath} {
- rr = httptest.NewRecorder()
- r, err = http.NewRequest(http.MethodGet, webURL, nil)
- assert.NoError(t, err)
- server.router.ServeHTTP(rr, r)
- assert.Equal(t, http.StatusFound, rr.Code)
- assert.Equal(t, webAdminSetupPath, rr.Header().Get("Location"))
- }
- form := make(url.Values)
- csrfToken := createCSRFToken("")
- form.Set("_form_token", csrfToken)
- form.Set("install_code", installationCode+"5")
- form.Set("username", defaultAdminUsername)
- form.Set("password", "password")
- form.Set("confirm_password", "password")
- rr = httptest.NewRecorder()
- r, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))
- assert.NoError(t, err)
- r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- server.router.ServeHTTP(rr, r)
- assert.Equal(t, http.StatusOK, rr.Code)
- assert.Contains(t, rr.Body.String(), "Installation code mismatch")
- _, err = dataprovider.AdminExists(defaultAdminUsername)
- assert.Error(t, err)
- form.Set("install_code", installationCode)
- rr = httptest.NewRecorder()
- r, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))
- assert.NoError(t, err)
- r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- server.router.ServeHTTP(rr, r)
- assert.Equal(t, http.StatusFound, rr.Code)
- _, err = dataprovider.AdminExists(defaultAdminUsername)
- assert.NoError(t, err)
- // delete the admin and test the installation code resolver
- err = dataprovider.DeleteAdmin(defaultAdminUsername, "", "", "")
- assert.NoError(t, err)
- err = dataprovider.Close()
- assert.NoError(t, err)
- err = dataprovider.Initialize(providerConf, configDir, true)
- assert.NoError(t, err)
- SetInstallationCodeResolver(func(defaultInstallationCode string) string {
- return "5678"
- })
- rr = httptest.NewRecorder()
- r, err = http.NewRequest(http.MethodGet, webAdminSetupPath, nil)
- assert.NoError(t, err)
- server.router.ServeHTTP(rr, r)
- assert.Equal(t, http.StatusOK, rr.Code)
- for _, webURL := range []string{"/", webBasePath, webBaseAdminPath, webAdminLoginPath, webClientLoginPath} {
- rr = httptest.NewRecorder()
- r, err = http.NewRequest(http.MethodGet, webURL, nil)
- assert.NoError(t, err)
- server.router.ServeHTTP(rr, r)
- assert.Equal(t, http.StatusFound, rr.Code)
- assert.Equal(t, webAdminSetupPath, rr.Header().Get("Location"))
- }
- form = make(url.Values)
- csrfToken = createCSRFToken("")
- form.Set("_form_token", csrfToken)
- form.Set("install_code", installationCode)
- form.Set("username", defaultAdminUsername)
- form.Set("password", "password")
- form.Set("confirm_password", "password")
- rr = httptest.NewRecorder()
- r, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))
- assert.NoError(t, err)
- r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- server.router.ServeHTTP(rr, r)
- assert.Equal(t, http.StatusOK, rr.Code)
- assert.Contains(t, rr.Body.String(), "Installation code mismatch")
- _, err = dataprovider.AdminExists(defaultAdminUsername)
- assert.Error(t, err)
- form.Set("install_code", "5678")
- rr = httptest.NewRecorder()
- r, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))
- assert.NoError(t, err)
- r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
- server.router.ServeHTTP(rr, r)
- assert.Equal(t, http.StatusFound, rr.Code)
- _, err = dataprovider.AdminExists(defaultAdminUsername)
- assert.NoError(t, err)
- err = dataprovider.Close()
- assert.NoError(t, err)
- providerConf.CreateDefaultAdmin = true
- err = dataprovider.Initialize(providerConf, configDir, true)
- assert.NoError(t, err)
- installationCode = ""
- SetInstallationCodeResolver(nil)
- }
- func TestDbResetCodeManager(t *testing.T) {
- if !isSharedProviderSupported() {
- t.Skip("this test it is not available with this provider")
- }
- mgr := newResetCodeManager(1)
- resetCode := newResetCode("admin", true)
- err := mgr.Add(resetCode)
- assert.NoError(t, err)
- codeGet, err := mgr.Get(resetCode.Code)
- assert.NoError(t, err)
- assert.Equal(t, resetCode, codeGet)
- err = mgr.Delete(resetCode.Code)
- assert.NoError(t, err)
- err = mgr.Delete(resetCode.Code)
- if assert.Error(t, err) {
- assert.ErrorIs(t, err, util.ErrNotFound)
- }
- _, err = mgr.Get(resetCode.Code)
- assert.ErrorIs(t, err, sql.ErrNoRows)
- // add an expired reset code
- resetCode = newResetCode("user", false)
- resetCode.ExpiresAt = time.Now().Add(-24 * time.Hour)
- err = mgr.Add(resetCode)
- assert.NoError(t, err)
- _, err = mgr.Get(resetCode.Code)
- if assert.Error(t, err) {
- assert.Contains(t, err.Error(), "reset code expired")
- }
- mgr.Cleanup()
- _, err = mgr.Get(resetCode.Code)
- assert.ErrorIs(t, err, sql.ErrNoRows)
- dbMgr, ok := mgr.(*dbResetCodeManager)
- if assert.True(t, ok) {
- _, err = dbMgr.decodeData("astring")
- assert.Error(t, err)
- }
- }
- func TestDecodeToken(t *testing.T) {
- nodeID := "nodeID"
- token := map[string]any{
- claimUsernameKey: defaultAdminUsername,
- claimPermissionsKey: []string{dataprovider.PermAdminAny},
- jwt.SubjectKey: "",
- claimNodeID: nodeID,
- claimMustChangePasswordKey: false,
- claimMustSetSecondFactorKey: true,
- }
- c := jwtTokenClaims{}
- c.Decode(token)
- assert.Equal(t, defaultAdminUsername, c.Username)
- assert.Equal(t, nodeID, c.NodeID)
- assert.False(t, c.MustChangePassword)
- assert.True(t, c.MustSetTwoFactorAuth)
- token[claimMustChangePasswordKey] = 10
- c = jwtTokenClaims{}
- c.Decode(token)
- assert.False(t, c.MustChangePassword)
- token[claimMustChangePasswordKey] = true
- c = jwtTokenClaims{}
- c.Decode(token)
- assert.True(t, c.MustChangePassword)
- claims := c.asMap()
- assert.Equal(t, token, claims)
- }
- func TestEventRoleFilter(t *testing.T) {
- defaultVal := "default"
- req, err := http.NewRequest(http.MethodGet, fsEventsPath+"?role=role1", nil)
- require.NoError(t, err)
- role := getRoleFilterForEventSearch(req, defaultVal)
- assert.Equal(t, defaultVal, role)
- role = getRoleFilterForEventSearch(req, "")
- assert.Equal(t, "role1", role)
- }
- func TestEventsCSV(t *testing.T) {
- e := fsEvent{
- Status: 1,
- }
- data := e.getCSVData()
- assert.Equal(t, "OK", data[5])
- e.Status = 2
- data = e.getCSVData()
- assert.Equal(t, "KO", data[5])
- e.Status = 3
- data = e.getCSVData()
- assert.Equal(t, "Quota exceeded", data[5])
- }
- func TestConfigsFromProvider(t *testing.T) {
- err := dataprovider.UpdateConfigs(nil, "", "", "")
- assert.NoError(t, err)
- c := Conf{
- Bindings: []Binding{
- {
- Port: 1234,
- },
- {
- Port: 80,
- Security: SecurityConf{
- Enabled: true,
- HTTPSRedirect: true,
- },
- },
- },
- }
- err = c.loadFromProvider()
- assert.NoError(t, err)
- assert.Empty(t, c.acmeDomain)
- configs := dataprovider.Configs{
- ACME: &dataprovider.ACMEConfigs{
- Domain: "domain.com",
- Email: "info@domain.com",
- HTTP01Challenge: dataprovider.ACMEHTTP01Challenge{Port: 80},
- Protocols: 1,
- },
- }
- err = dataprovider.UpdateConfigs(&configs, "", "", "")
- assert.NoError(t, err)
- util.CertsBasePath = ""
- // crt and key empty
- err = c.loadFromProvider()
- assert.NoError(t, err)
- assert.Empty(t, c.acmeDomain)
- util.CertsBasePath = filepath.Clean(os.TempDir())
- // crt not found
- err = c.loadFromProvider()
- assert.NoError(t, err)
- assert.Empty(t, c.acmeDomain)
- keyPairs := c.getKeyPairs(configDir)
- assert.Len(t, keyPairs, 0)
- crtPath := filepath.Join(util.CertsBasePath, util.SanitizeDomain(configs.ACME.Domain)+".crt")
- err = os.WriteFile(crtPath, nil, 0666)
- assert.NoError(t, err)
- // key not found
- err = c.loadFromProvider()
- assert.NoError(t, err)
- assert.Empty(t, c.acmeDomain)
- keyPairs = c.getKeyPairs(configDir)
- assert.Len(t, keyPairs, 0)
- keyPath := filepath.Join(util.CertsBasePath, util.SanitizeDomain(configs.ACME.Domain)+".key")
- err = os.WriteFile(keyPath, nil, 0666)
- assert.NoError(t, err)
- // acme cert used
- err = c.loadFromProvider()
- assert.NoError(t, err)
- assert.Equal(t, configs.ACME.Domain, c.acmeDomain)
- keyPairs = c.getKeyPairs(configDir)
- assert.Len(t, keyPairs, 1)
- assert.True(t, c.Bindings[0].EnableHTTPS)
- assert.False(t, c.Bindings[1].EnableHTTPS)
- // protocols does not match
- configs.ACME.Protocols = 6
- err = dataprovider.UpdateConfigs(&configs, "", "", "")
- assert.NoError(t, err)
- c.acmeDomain = ""
- err = c.loadFromProvider()
- assert.NoError(t, err)
- assert.Empty(t, c.acmeDomain)
- keyPairs = c.getKeyPairs(configDir)
- assert.Len(t, keyPairs, 0)
- err = os.Remove(crtPath)
- assert.NoError(t, err)
- err = os.Remove(keyPath)
- assert.NoError(t, err)
- util.CertsBasePath = ""
- err = dataprovider.UpdateConfigs(nil, "", "", "")
- assert.NoError(t, err)
- }
- func TestHTTPSRedirect(t *testing.T) {
- acmeWebRoot := filepath.Join(os.TempDir(), "acme")
- err := os.MkdirAll(acmeWebRoot, os.ModePerm)
- assert.NoError(t, err)
- tokenName := "token"
- err = os.WriteFile(filepath.Join(acmeWebRoot, tokenName), []byte("val"), 0666)
- assert.NoError(t, err)
- acmeConfig := acme.Configuration{
- HTTP01Challenge: acme.HTTP01Challenge{WebRoot: acmeWebRoot},
- }
- err = acme.Initialize(acmeConfig, configDir, true)
- require.NoError(t, err)
- forwardedHostHeader := "X-Forwarded-Host"
- server := httpdServer{
- binding: Binding{
- Security: SecurityConf{
- Enabled: true,
- HTTPSRedirect: true,
- HostsProxyHeaders: []string{forwardedHostHeader},
- },
- },
- }
- server.initializeRouter()
- rr := httptest.NewRecorder()
- r, err := http.NewRequest(http.MethodGet, path.Join(acmeChallengeURI, tokenName), nil)
- assert.NoError(t, err)
- r.Host = "localhost"
- r.RequestURI = path.Join(acmeChallengeURI, tokenName)
- server.router.ServeHTTP(rr, r)
- assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
- rr = httptest.NewRecorder()
- r, err = http.NewRequest(http.MethodGet, webAdminLoginPath, nil)
- assert.NoError(t, err)
- r.RequestURI = webAdminLoginPath
- server.router.ServeHTTP(rr, r)
- assert.Equal(t, http.StatusTemporaryRedirect, rr.Code, rr.Body.String())
- rr = httptest.NewRecorder()
- r, err = http.NewRequest(http.MethodGet, webAdminLoginPath, nil)
- assert.NoError(t, err)
- r.RequestURI = webAdminLoginPath
- r.Header.Set(forwardedHostHeader, "sftpgo.com")
- server.router.ServeHTTP(rr, r)
- assert.Equal(t, http.StatusTemporaryRedirect, rr.Code, rr.Body.String())
- assert.Contains(t, rr.Body.String(), "https://sftpgo.com")
- server.binding.Security.HTTPSHost = "myhost:1044"
- rr = httptest.NewRecorder()
- r, err = http.NewRequest(http.MethodGet, webAdminLoginPath, nil)
- assert.NoError(t, err)
- r.RequestURI = webAdminLoginPath
- server.router.ServeHTTP(rr, r)
- assert.Equal(t, http.StatusTemporaryRedirect, rr.Code, rr.Body.String())
- assert.Contains(t, rr.Body.String(), "https://myhost:1044")
- err = os.RemoveAll(acmeWebRoot)
- assert.NoError(t, err)
- }
- func TestGetLogEventString(t *testing.T) {
- assert.Equal(t, "Login failed", getLogEventString(notifier.LogEventTypeLoginFailed))
- assert.Equal(t, "Login with non-existent user", getLogEventString(notifier.LogEventTypeLoginNoUser))
- assert.Equal(t, "No login tried", getLogEventString(notifier.LogEventTypeNoLoginTried))
- assert.Equal(t, "Algorithm negotiation failed", getLogEventString(notifier.LogEventTypeNotNegotiated))
- assert.Empty(t, getLogEventString(0))
- }
- func TestUserQuotaUsage(t *testing.T) {
- usage := userQuotaUsage{
- QuotaSize: 100,
- }
- require.True(t, usage.HasQuotaInfo())
- require.NotEmpty(t, usage.GetQuotaSize())
- providerConf := dataprovider.GetProviderConfig()
- quotaTracking := dataprovider.GetQuotaTracking()
- providerConf.TrackQuota = 0
- err := dataprovider.Close()
- assert.NoError(t, err)
- err = dataprovider.Initialize(providerConf, configDir, true)
- assert.NoError(t, err)
- err = dataprovider.Close()
- assert.NoError(t, err)
- assert.False(t, usage.HasQuotaInfo())
- providerConf.TrackQuota = quotaTracking
- err = dataprovider.Initialize(providerConf, configDir, true)
- assert.NoError(t, err)
- usage.QuotaSize = 0
- assert.False(t, usage.HasQuotaInfo())
- assert.Empty(t, usage.GetQuotaSize())
- assert.Equal(t, 0, usage.GetQuotaSizePercentage())
- assert.False(t, usage.IsQuotaSizeLow())
- assert.False(t, usage.IsDiskQuotaLow())
- assert.False(t, usage.IsQuotaLow())
- usage.UsedQuotaSize = 9
- assert.NotEmpty(t, usage.GetQuotaSize())
- usage.QuotaSize = 10
- assert.True(t, usage.IsQuotaSizeLow())
- assert.True(t, usage.IsDiskQuotaLow())
- assert.True(t, usage.IsQuotaLow())
- usage.DownloadDataTransfer = 1
- assert.True(t, usage.HasQuotaInfo())
- assert.True(t, usage.HasTranferQuota())
- assert.Empty(t, usage.GetQuotaFiles())
- assert.Equal(t, 0, usage.GetQuotaFilesPercentage())
- usage.QuotaFiles = 1
- assert.NotEmpty(t, usage.GetQuotaFiles())
- usage.QuotaFiles = 0
- usage.UsedQuotaFiles = 9
- assert.NotEmpty(t, usage.GetQuotaFiles())
- usage.QuotaFiles = 10
- usage.DownloadDataTransfer = 0
- assert.True(t, usage.IsQuotaFilesLow())
- assert.True(t, usage.IsDiskQuotaLow())
- assert.False(t, usage.IsTotalTransferQuotaLow())
- assert.False(t, usage.IsUploadTransferQuotaLow())
- assert.False(t, usage.IsDownloadTransferQuotaLow())
- assert.Equal(t, 0, usage.GetTotalTransferQuotaPercentage())
- assert.Equal(t, 0, usage.GetUploadTransferQuotaPercentage())
- assert.Equal(t, 0, usage.GetDownloadTransferQuotaPercentage())
- assert.Empty(t, usage.GetTotalTransferQuota())
- assert.Empty(t, usage.GetUploadTransferQuota())
- assert.Empty(t, usage.GetDownloadTransferQuota())
- usage.TotalDataTransfer = 3
- usage.UsedUploadDataTransfer = 1 * 1048576
- assert.NotEmpty(t, usage.GetTotalTransferQuota())
- usage.TotalDataTransfer = 0
- assert.NotEmpty(t, usage.GetTotalTransferQuota())
- assert.NotEmpty(t, usage.GetUploadTransferQuota())
- usage.UploadDataTransfer = 2
- assert.NotEmpty(t, usage.GetUploadTransferQuota())
- usage.UsedDownloadDataTransfer = 1 * 1048576
- assert.NotEmpty(t, usage.GetDownloadTransferQuota())
- usage.DownloadDataTransfer = 2
- assert.NotEmpty(t, usage.GetDownloadTransferQuota())
- assert.False(t, usage.IsTransferQuotaLow())
- usage.UsedDownloadDataTransfer = 8 * 1048576
- usage.TotalDataTransfer = 10
- assert.True(t, usage.IsTotalTransferQuotaLow())
- assert.True(t, usage.IsTransferQuotaLow())
- usage.TotalDataTransfer = 0
- usage.UploadDataTransfer = 0
- usage.DownloadDataTransfer = 0
- assert.False(t, usage.IsTransferQuotaLow())
- usage.UploadDataTransfer = 10
- usage.UsedUploadDataTransfer = 9 * 1048576
- assert.True(t, usage.IsUploadTransferQuotaLow())
- assert.True(t, usage.IsTransferQuotaLow())
- usage.DownloadDataTransfer = 10
- usage.UsedDownloadDataTransfer = 9 * 1048576
- assert.True(t, usage.IsDownloadTransferQuotaLow())
- assert.True(t, usage.IsTransferQuotaLow())
- }
- func TestShareRedirectURL(t *testing.T) {
- shareID := util.GenerateUniqueID()
- base := path.Join(webClientPubSharesPath, shareID)
- next := path.Join(webClientPubSharesPath, shareID, "browse")
- ok, res := checkShareRedirectURL(next, base)
- assert.True(t, ok)
- assert.Equal(t, next, res)
- next = path.Join(webClientPubSharesPath, shareID, "browse") + "?a=b"
- ok, res = checkShareRedirectURL(next, base)
- assert.True(t, ok)
- assert.Equal(t, next, res)
- next = path.Join(webClientPubSharesPath, shareID)
- ok, res = checkShareRedirectURL(next, base)
- assert.True(t, ok)
- assert.Equal(t, path.Join(base, "download"), res)
- next = path.Join(webClientEditFilePath, shareID)
- ok, res = checkShareRedirectURL(next, base)
- assert.False(t, ok)
- assert.Empty(t, res)
- next = path.Join(webClientPubSharesPath, shareID) + "?compress=false&a=b"
- ok, res = checkShareRedirectURL(next, base)
- assert.True(t, ok)
- assert.Equal(t, path.Join(base, "download?compress=false&a=b"), res)
- next = path.Join(webClientPubSharesPath, shareID) + "?compress=true&b=c"
- ok, res = checkShareRedirectURL(next, base)
- assert.True(t, ok)
- assert.Equal(t, path.Join(base, "download?compress=true&b=c"), res)
- ok, res = checkShareRedirectURL("http://foo\x7f.com/ab", "http://foo\x7f.com/")
- assert.False(t, ok)
- assert.Empty(t, res)
- ok, res = checkShareRedirectURL("http://foo.com/?foo\nbar", "http://foo.com")
- assert.False(t, ok)
- assert.Empty(t, res)
- }
- func isSharedProviderSupported() bool {
- // SQLite shares the implementation with other SQL-based provider but it makes no sense
- // to use it outside test cases
- switch dataprovider.GetProviderStatus().Driver {
- case dataprovider.MySQLDataProviderName, dataprovider.PGSQLDataProviderName,
- dataprovider.CockroachDataProviderName, dataprovider.SQLiteDataProviderName:
- return true
- default:
- return false
- }
- }
|