internal_test.go 128 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146314731483149315031513152315331543155315631573158315931603161316231633164316531663167316831693170317131723173317431753176317731783179318031813182318331843185318631873188318931903191319231933194319531963197319831993200320132023203320432053206320732083209321032113212321332143215321632173218321932203221322232233224322532263227322832293230323132323233323432353236323732383239324032413242324332443245324632473248324932503251325232533254325532563257325832593260326132623263326432653266326732683269327032713272327332743275327632773278327932803281328232833284328532863287328832893290329132923293329432953296329732983299330033013302330333043305330633073308330933103311331233133314331533163317331833193320332133223323332433253326332733283329333033313332333333343335333633373338333933403341334233433344334533463347334833493350335133523353335433553356335733583359336033613362336333643365336633673368336933703371337233733374337533763377337833793380338133823383338433853386338733883389339033913392339333943395339633973398339934003401340234033404340534063407340834093410341134123413341434153416341734183419342034213422342334243425342634273428342934303431343234333434343534363437343834393440344134423443344434453446344734483449345034513452345334543455345634573458345934603461346234633464346534663467346834693470347134723473347434753476347734783479348034813482348334843485348634873488348934903491349234933494349534963497349834993500350135023503350435053506350735083509351035113512351335143515351635173518351935203521352235233524
  1. // Copyright (C) 2019-2023 Nicola Murino
  2. //
  3. // This program is free software: you can redistribute it and/or modify
  4. // it under the terms of the GNU Affero General Public License as published
  5. // by the Free Software Foundation, version 3.
  6. //
  7. // This program is distributed in the hope that it will be useful,
  8. // but WITHOUT ANY WARRANTY; without even the implied warranty of
  9. // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  10. // GNU Affero General Public License for more details.
  11. //
  12. // You should have received a copy of the GNU Affero General Public License
  13. // along with this program. If not, see <https://www.gnu.org/licenses/>.
  14. package httpd
  15. import (
  16. "bytes"
  17. "context"
  18. "crypto/tls"
  19. "crypto/x509"
  20. "database/sql"
  21. "encoding/json"
  22. "errors"
  23. "fmt"
  24. "html/template"
  25. "io"
  26. "net/http"
  27. "net/http/httptest"
  28. "net/url"
  29. "os"
  30. "path"
  31. "path/filepath"
  32. "runtime"
  33. "strings"
  34. "testing"
  35. "time"
  36. "github.com/go-chi/chi/v5"
  37. "github.com/go-chi/chi/v5/middleware"
  38. "github.com/go-chi/jwtauth/v5"
  39. "github.com/klauspost/compress/zip"
  40. "github.com/lestrrat-go/jwx/v2/jwa"
  41. "github.com/lestrrat-go/jwx/v2/jwt"
  42. "github.com/rs/xid"
  43. "github.com/sftpgo/sdk"
  44. sdkkms "github.com/sftpgo/sdk/kms"
  45. "github.com/sftpgo/sdk/plugin/notifier"
  46. "github.com/stretchr/testify/assert"
  47. "github.com/stretchr/testify/require"
  48. "github.com/drakkan/sftpgo/v2/internal/acme"
  49. "github.com/drakkan/sftpgo/v2/internal/common"
  50. "github.com/drakkan/sftpgo/v2/internal/dataprovider"
  51. "github.com/drakkan/sftpgo/v2/internal/kms"
  52. "github.com/drakkan/sftpgo/v2/internal/plugin"
  53. "github.com/drakkan/sftpgo/v2/internal/util"
  54. "github.com/drakkan/sftpgo/v2/internal/vfs"
  55. )
  56. const (
  57. httpdCert = `-----BEGIN CERTIFICATE-----
  58. MIICHTCCAaKgAwIBAgIUHnqw7QnB1Bj9oUsNpdb+ZkFPOxMwCgYIKoZIzj0EAwIw
  59. RTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
  60. dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDAyMDQwOTUzMDRaFw0zMDAyMDEw
  61. OTUzMDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD
  62. VQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwdjAQBgcqhkjOPQIBBgUrgQQA
  63. IgNiAARCjRMqJ85rzMC998X5z761nJ+xL3bkmGVqWvrJ51t5OxV0v25NsOgR82CA
  64. NXUgvhVYs7vNFN+jxtb2aj6Xg+/2G/BNxkaFspIVCzgWkxiz7XE4lgUwX44FCXZM
  65. 3+JeUbKjUzBRMB0GA1UdDgQWBBRhLw+/o3+Z02MI/d4tmaMui9W16jAfBgNVHSME
  66. GDAWgBRhLw+/o3+Z02MI/d4tmaMui9W16jAPBgNVHRMBAf8EBTADAQH/MAoGCCqG
  67. SM49BAMCA2kAMGYCMQDqLt2lm8mE+tGgtjDmtFgdOcI72HSbRQ74D5rYTzgST1rY
  68. /8wTi5xl8TiFUyLMUsICMQC5ViVxdXbhuG7gX6yEqSkMKZICHpO8hqFwOD/uaFVI
  69. dV4vKmHUzwK/eIx+8Ay3neE=
  70. -----END CERTIFICATE-----`
  71. httpdKey = `-----BEGIN EC PARAMETERS-----
  72. BgUrgQQAIg==
  73. -----END EC PARAMETERS-----
  74. -----BEGIN EC PRIVATE KEY-----
  75. MIGkAgEBBDCfMNsN6miEE3rVyUPwElfiJSWaR5huPCzUenZOfJT04GAcQdWvEju3
  76. UM2lmBLIXpGgBwYFK4EEACKhZANiAARCjRMqJ85rzMC998X5z761nJ+xL3bkmGVq
  77. WvrJ51t5OxV0v25NsOgR82CANXUgvhVYs7vNFN+jxtb2aj6Xg+/2G/BNxkaFspIV
  78. CzgWkxiz7XE4lgUwX44FCXZM3+JeUbI=
  79. -----END EC PRIVATE KEY-----`
  80. caCRT = `-----BEGIN CERTIFICATE-----
  81. MIIE5jCCAs6gAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDZXJ0
  82. QXV0aDAeFw0yMzAxMDMxMDIwNDdaFw0zMzAxMDMxMDMwNDZaMBMxETAPBgNVBAMT
  83. CENlcnRBdXRoMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAxq6Wl1Ih
  84. hgvGdM8M2IVI7dwnv3yShJygZsnREQSEW0xeWJL5DtNeHCME5WByFUAlZKpePtW8
  85. TNwln9DYDtgNSMiWwvO/wR0mXsyU8Ma4ZBMlX0oOkWo1Ff/M/u8YY9X78Vvwdt62
  86. Yt7QmU5oUUW2HdAgh4AlhKJSjm3t0uDP5s54uvueL5bjChHwEb1ZGOtST9Zt86cj
  87. YA/xtVHnDXCJbhohpzQI6dK96NegONZVDaxEohVCyYYOgI1I14Bxu0ZCMm5GjwoO
  88. QohnUfEJ+BRgZqFpbsnYCE+PoVayVVFoLA+GMeqbQ2SHej1Pr1K0dbjUz6SAk8/+
  89. DL7h8d+YAtflATsMtdsVJ4WzEfvZbSbiYKYmlVC6zk6ooXWadvQ5+aezVes9WMpH
  90. YnAoScuKoeerRuKlsSU7u+XCmy/i7Hii5FwMrSvIL2GLtVE+tJFCTABA55OWZikt
  91. ULMQfg3P2Hk3GFIE35M10mSjKQkGhz06WC5UQ7f2Xl9GzO6PqRSorzugewgMK6L4
  92. SnN7XBFnUHHqx1bWNkUG8NPYB6Zs7UDHygemTWxqqxun43s501DNTSunCKIhwFbt
  93. 1ol5gOvYAFG+BXxnggBT815Mgz1Zht3S9CuprAgz0grNEwAYjRTm1PSaX3t8I1kv
  94. oUUuMF6BzWLHJ66uZKOCsPs3ouGq+G3GfWUCAwEAAaNFMEMwDgYDVR0PAQH/BAQD
  95. AgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFCj8lmcR7loB9zAP/feo
  96. t1eIHWmIMA0GCSqGSIb3DQEBCwUAA4ICAQCu46fF0Tr2tZz1wkYt2Ty3OU77jcG9
  97. zYU/7uxPqPC8OYIzQJrumXKLOkTYJXJ7k+7RQdsn/nbxdH1PbslNDD3Eid/sZsF/
  98. dFdGR1ZYwXVQbpYwEd19CvJTALn9CyAZpMS8J2RJrmdScAeSSb0+nAGTYP7GvPm+
  99. 8ktOnrz3w8FtzTw+seuCW/DI/5UpfC9Jf+i/3XgxDozXWNW6YNOIw/CicyaqbBTk
  100. 5WFcJ0WJN+8qQurw8n+sOvQcNsuDTO7K3Tqu0wGTDUQKou7kiMX0UISRvd8roNOl
  101. zvvokNQe4VgCGQA+Y2SxvSxVG1BaymYeNw/0Yxm7QiKSUI400V1iKIcpnIvIedJR
  102. j2bGIlslVSV/P6zkRuF1srRVxTxSf1imEfs8J8mMhHB6DkOsP4Y93z5s6JZ0sPiM
  103. eOb0CVKul/e1R0Kq23AdPf5eUv63RhfmokN1OsdarRKMFyHphWMxqGJXsSvRP+dl
  104. 3DaKeTDx/91OSWiMc+glHHKKJveMYQLeJ7GXmcxhuoBm6o4Coowgw8NFKMCtAsp0
  105. ktvsQuhB3uFUterw/2ONsOChx7Ybu36Zk47TKBpktfxDQ578TVoZ7xWSAFqCPHvx
  106. A5VSwAg7tdBvORfqQjhiJRnhwr50RaNQABTLS0l5Vsn2mitApPs7iKiIts2ieWsU
  107. EsdgvPZR2e5IkA==
  108. -----END CERTIFICATE-----`
  109. caKey = `-----BEGIN RSA PRIVATE KEY-----
  110. MIIJJwIBAAKCAgEAxq6Wl1IhhgvGdM8M2IVI7dwnv3yShJygZsnREQSEW0xeWJL5
  111. DtNeHCME5WByFUAlZKpePtW8TNwln9DYDtgNSMiWwvO/wR0mXsyU8Ma4ZBMlX0oO
  112. kWo1Ff/M/u8YY9X78Vvwdt62Yt7QmU5oUUW2HdAgh4AlhKJSjm3t0uDP5s54uvue
  113. L5bjChHwEb1ZGOtST9Zt86cjYA/xtVHnDXCJbhohpzQI6dK96NegONZVDaxEohVC
  114. yYYOgI1I14Bxu0ZCMm5GjwoOQohnUfEJ+BRgZqFpbsnYCE+PoVayVVFoLA+GMeqb
  115. Q2SHej1Pr1K0dbjUz6SAk8/+DL7h8d+YAtflATsMtdsVJ4WzEfvZbSbiYKYmlVC6
  116. zk6ooXWadvQ5+aezVes9WMpHYnAoScuKoeerRuKlsSU7u+XCmy/i7Hii5FwMrSvI
  117. L2GLtVE+tJFCTABA55OWZiktULMQfg3P2Hk3GFIE35M10mSjKQkGhz06WC5UQ7f2
  118. Xl9GzO6PqRSorzugewgMK6L4SnN7XBFnUHHqx1bWNkUG8NPYB6Zs7UDHygemTWxq
  119. qxun43s501DNTSunCKIhwFbt1ol5gOvYAFG+BXxnggBT815Mgz1Zht3S9CuprAgz
  120. 0grNEwAYjRTm1PSaX3t8I1kvoUUuMF6BzWLHJ66uZKOCsPs3ouGq+G3GfWUCAwEA
  121. AQKCAgB1dNFiNBPNgziX5a/acTFkLTryYVrdOxs4qScHwHve3Y8JHhpPQXXpfGpw
  122. kEvhdEKm+HEvBHyFk8BKctTIMcHovW0jY6aBLBJ7CMckcNahkxAM/WMPZJJtpwQx
  123. 0nfAzchcL9ZA7/kzCjaX61qQcX3wshIJCSElADF+Mk7e1DkUYgvNvuMNj045rdEX
  124. K7F4oeXPfR0TZkPrjoF+iCToNReKF7i9eG2sjgHnnVIDR/KQWr9YculA6he4t83Q
  125. WQbjh+2qkrbz6SX0/17VeoJCPwmeot4JuRoWD7MB1pcnCTFkmujiqaeQd+X/xi9N
  126. nr9AuTxWZRH+UIAIWPCKZX0gcTHYNJ7Qj/bwIOx6xIISrH4unvKtJOI71NBBognY
  127. wBlDbz5gST1GKdZHsvqsi2sfFF7HAxiUzLHTofsYr0joNgHTJcXlJrtDrjbEt9mm
  128. 8f1tVc+ooQYb3u2BJlrIn3anUytVXEjYRje1bBYRaE1uuVG5QdHInc6V7rV3LfvX
  129. IByObtklvCLgCxZm6QUGedb16KV+Prt1W0Yvk6kMOldhG2uBRrt2vC8QxgNzRs90
  130. LIwBhv1hg++EU9RIaXN6we9ZiPs164VD1h6f8UeShAFtQN9eByqRaYmJzDDNh8Py
  131. CK/mR4mlyjdAArm42HpsPM0DeCpgjCQnsQFCihXe9++OT8enAQKCAQEAzbFWCmL0
  132. JsvsQopeO9H7NrQIZRql1bfPOcjvDBtYZgjR91q84zEcUUmEjVMtD/oPSk4HdjEK
  133. ljmGAjOvIFpdgk0YAtA4+kP+zvEoaKLfKGLNXdeNdYPJBvHMcbLrOknFJZ7PVoJA
  134. 5hQHMazX+JzaeCB2PTcGWUSnu4Lw4eTho/dmdlwsGS7HjTPw7LZnQfrJ57NHVX6n
  135. ZtwfjgxBmyE+rImpPPytuKGAgbH9qhrUqCNh6MQ6ZcqN4aHAI8j72IW8rwSPkYZ3
  136. mRpLtrvKKKcAp3YWh75WAtG0aqVQ876wpcM7Nxa+0TM9UzbF+xtoyz1/BCp3hrCA
  137. 0g6D40YRiPf+OQKCAQEA90ZNRP2vEEUbkXkxZGyrOq9P7FEgwt1Tg3kvCVrralst
  138. Db/v2ZQR8IyhJwNtBczXKpuxrv978zKjrDhqBMBaL8wXUrmf98has14ZvvrgiCzE
  139. oBuVRbRrJ8ksY2YyzBkW3OjO9iI7knbVT50xasbqhtHj5Q3DWMOt0bcAAjcZlRK3
  140. gD1e25/YOBR3C1XVylGGDH0jU/7VHzkedy8rwr7vPwMS7crU6l74mxre7ZS5Mb9T
  141. nqoP/VgrHzoz+uVXTXk0FvJBENrDm340RxsBrK7/ePA8ngp5ZzfUZ47eYOSYBZPD
  142. WYG1+Z99/ZLzZ/AJvp2HiGPDG5lXJjKg/Y7iWis4jQKCAQBaE7r2OXdqNgt06Ft0
  143. HvTAc/7pJ85P1Xrud0wYJTGFHX+1rwrhA3S/NE7UBQTK5lsj0x/5ZmiYeQBynmem
  144. 52vj0BcfxEfvcS95OKrVh93qNbpxyh+swtWaMPGzKQNSN1QasX1jCQ+aslKkMmkx
  145. +p7B1JVzIVGqbiJ2P1V112HpCELaumqlbJL/BywOvaJiho085onqqthsdyFqd3uT
  146. j+9+Z5qxloYNQMyh/2xyveU67KPH54cbZKTVlpwqD64amBaVHo4w0I43ggh+MabK
  147. PrhOnawoLfZErckwmszksTFyphice119B89nTalN2ib+OiQRkvddCJahZrHjKaAs
  148. N04hAoIBACwKAUkARWWIaViHVRylnfldr8ZOzJ7n/C+2LYJlBvhyNJv2SyldDbTh
  149. 1vGz0n7t9IRKJmMcbV7q7euGQJuIBofsuVqqZKskq8K2R6+Tztlx37MENpmrgEod
  150. siIh2XowHbpKXFHJ1wJG18bOIDb8JljMmOH6iYgNka+AAChk19GM+9GDHJnQ5hlW
  151. y7zhFKpryov+3YPgJuTgr2RaqliM2N9IFN70+Oak83HsXzfA/Rq3EJV5hE+CnGt7
  152. WjadEediZryPeLcfvya6W2UukiXHJQjNAH7FLsoLT3ECKOjozYpwvqH6UAadOTso
  153. KOGiBppERBcubVlE/hh3e+SsxfN5LyECggEATftYF8rp47q8LKCJ/QHk1U+MZoeU
  154. hkMuov2/Du4Cj3NsAq/GmdU2nuPGHUoHZ90rpfbOdsg4+lYx3aHSfVwk46xy6eE3
  155. LsC30W9NUEc14pveuEfkXWwIhmkwmA8n53wpjWf1nnosXa6UCHj6ycoRuwkH1QN1
  156. muQumpvL1gR8BV4H0vnhd0bCFHH4wyPKy0yTaXXsUE5NBCRbyOqehSLMOjCSgKUK
  157. 5oDwxh7pnJf1cchKpG0ODJR60vukdjcfqU9UN/SMvpYLnBiozM3QrxwHKROsnZzm
  158. Q0gSWphVd9QaWWD3wtHYPV3RkE5F4H+mKjVcnkES3aQnow7b/FSnhdJ4dw==
  159. -----END RSA PRIVATE KEY-----`
  160. caCRL = `-----BEGIN X509 CRL-----
  161. MIICpjCBjwIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDZXJ0QXV0aBcN
  162. MjMwMTAzMTAzMzI4WhcNMjUwMTAyMTAzMzI4WjAjMCECEHUfHtKUGlg/86yMN/aM
  163. xxsXDTIzMDEwMzEwMzMyOFqgIzAhMB8GA1UdIwQYMBaAFCj8lmcR7loB9zAP/feo
  164. t1eIHWmIMA0GCSqGSIb3DQEBCwUAA4ICAQAJf6MBMUc3xWKB6fy0VoPbXQjVTsL4
  165. Yjm5lKaCtvcRiJ6onaITfJL6V3OCy/MAe94sHynvK3DyyYvxJ0ms7y+kmEtFzHwz
  166. T+hBPHaEV/Ccamt+3zRZwndwEMomkQz5tBipwimOlsYXWqItjhXHcLLr84jWgqpD
  167. JHcfDmLswCeJVqe8xyYSYCnWMjQ3sn0h+arjm53SdHTULlsjgKeX/ao2IJwt1Ddr
  168. APYKZ/XBWq9vBq3l4l2Ufj16fUBY5NeHTjQcLLrkwmBwpSb0YS8+jBwmOwo1HwEF
  169. MEwADBTHI2jT4ygzzKefVETfcSk4CuIQ1ve0qQL7KY5Fg5AXwbRycev6R0vEHR82
  170. oOPAqg+dYgKtdkxK5QZrNLenloq6x0/3oEThwOg3J17+eCYjixBC+3PoUzLa+yfZ
  171. xSQ/kkcRJExEhadw5I9TI7sEUk1RjDCl6AtHg53LQifokiLLfMRptOiN3a4NlLJ2
  172. HNXfWUltRUnr6MCxk+G7U5Zaj1QtCN3Aldw+3xcJr7FOBU23VqRT22XbfW+B1gsr
  173. 4eNlw5Kk/PDF/WZeGbrwy7fvpSoFsDYI8lpVlzKVwLampIZVhnWsfaf7jk/pc4T0
  174. 6iZ+rnB6CP4P+LM34jKYiAtz+iufjEB6Ko0jN0ZWCznDGDVgMwnVynGJNKU+4bl8
  175. vC4nIbS2OhclcA==
  176. -----END X509 CRL-----`
  177. client1Crt = `-----BEGIN CERTIFICATE-----
  178. MIIEIDCCAgigAwIBAgIQWwKNgBzKWM8ewyS4K78uOTANBgkqhkiG9w0BAQsFADAT
  179. MREwDwYDVQQDEwhDZXJ0QXV0aDAeFw0yMzAxMDMxMDIzMTFaFw0zMzAxMDMxMDMw
  180. NDVaMBIxEDAOBgNVBAMTB2NsaWVudDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
  181. ggEKAoIBAQC+jwuaG0FSpPtE5mZPBgdacAhXXa51/TIT18HTm+QnOYUcGRel3AuZ
  182. OBWv3fOallW8iQX3i+M78cKeTMWOS5RGXCdDe866pYXEyUkZFRRSA/6573Dz5dJ/
  183. DZOCsgW+91JlSkM1+FYE9cpt4qLkdAjSRXIoebcA64K60wqZr1Js+pQrH3leT9wu
  184. 33dM3KHkDHOeMj6X/V1me22htndD/DUlWmPc58jMFbcvxFG3oUBB9U65LJBwJNzr
  185. XWVcli2QirZ0fLkC7Lo2FIYuN1qeU/8A/T4TTInZb/eW3Faqv4RuhjWPXFLqkdIP
  186. 4AzDxCNuhlWqyv9nfgegXAHOHpXZMDKxAgMBAAGjcTBvMA4GA1UdDwEB/wQEAwID
  187. uDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFKloKnzI
  188. w7YYnjm1sKU+LgvT5dU0MB8GA1UdIwQYMBaAFCj8lmcR7loB9zAP/feot1eIHWmI
  189. MA0GCSqGSIb3DQEBCwUAA4ICAQAeja0rK7I14ibgis9vSPXAGmmKpagIjvZiYCE6
  190. Ti/Rq6qbyQ6tKL08NxR2XPNjoXfxwGOGgboWR86S7WT93pz3HkftAjTfzUnxnXOx
  191. S7dWfq+g0uY/3ql6IFDQBpGKHu/KN8/1Pvn39FiYSdCaM66bwyFukcvBXace+aC1
  192. M6jzVsscxoCCjXhcZl++Tjpf6TzGMd8OFyArBQmOUCoFrTcMzLPKSAROAHp0k+Ju
  193. HHNgLdgXPQCfAgRbWnqq2o2moApe7+gzMS+1X0eKhIXYS7csK8rFvGzjH/ANDo9A
  194. 8+AFcJh8YiIlEVI8nCb3ERdpAbu6G5xkfUDkqcWjCAhuokrbeFmU82RQOc3TQZc9
  195. NMHfTkCOPhaIdPI/kC+fZkdz+5ftDCl/radSljeMX+/y0DVQUOtrQzyT1PBN0vCx
  196. L+FCzj0fHJwdoDiFLxDLLN1pYWsxMnIichpg625CZM9r5i183yPErXxxQPydcDrX
  197. Y6Ps7rGiU7eGILhAfQnS1XUDvH0gNfLUvO5uWm6yO4yUEDWkA/wOTnrc8Z5Waza+
  198. kH+FmxnYpT1rMloTSoyiHIPvTq1nVJ8LILUODZAxW+ZHmccGgOpIN/DWuWunVRHG
  199. tuaTSgU1xjWl2q/SeoS2DpiEKTIAZZQ5CTD819oc8SnLTzK0ISRpBXKg13AF2uJD
  200. G9q7sA==
  201. -----END CERTIFICATE-----`
  202. client1Key = `-----BEGIN RSA PRIVATE KEY-----
  203. MIIEpQIBAAKCAQEAvo8LmhtBUqT7ROZmTwYHWnAIV12udf0yE9fB05vkJzmFHBkX
  204. pdwLmTgVr93zmpZVvIkF94vjO/HCnkzFjkuURlwnQ3vOuqWFxMlJGRUUUgP+ue9w
  205. 8+XSfw2TgrIFvvdSZUpDNfhWBPXKbeKi5HQI0kVyKHm3AOuCutMKma9SbPqUKx95
  206. Xk/cLt93TNyh5AxznjI+l/1dZnttobZ3Q/w1JVpj3OfIzBW3L8RRt6FAQfVOuSyQ
  207. cCTc611lXJYtkIq2dHy5Auy6NhSGLjdanlP/AP0+E0yJ2W/3ltxWqr+EboY1j1xS
  208. 6pHSD+AMw8QjboZVqsr/Z34HoFwBzh6V2TAysQIDAQABAoIBAFaIHnycY81jnbZr
  209. 6Yl4813eAeuqXs61a0gXcazl3XTyab+YpWRrx9iL3009PKG2Iri6gDspCsbtwbKg
  210. qhUzvOE2d53tWrLm9xelT8xUBiY4KjPEx0X51txbDeELdhCBvqjAUETxwB4Afyvm
  211. /pE/H8JcRrqair+gMn0j2GxxcLyLQt8/DBaqbs50QDxYbLTrfZzXi3R5iAMmtGDM
  212. ZuhBDJYjw/PdJnmWcCkeEFa731ZwHISvDFJtZ6kv0yU7guHzvDWOFlszFksv8HRI
  213. s46i1AqvdLd3M/xVDWi2f5P3IuOK80v2xrTZAbJSc9Fo/oHhO+9mWoxnGF2JE2zO
  214. cabYfAECgYEA/EIw0fvOLabhmsLTItq7p76Gt1kE2Rsn+KsRH+H4vE3iptHy1pks
  215. j/aohQ+YeZM3KtsEz12dtPfUBQoTMfCxpiHVhhpX5JLyc6OAMWhZUItQX2X0lzeY
  216. oPRdbEMRcfxOKjb3mY5T2h9TVUieuspE2wExYFRMaB8BT4pio86iWYUCgYEAwWKV
  217. pP7w1+H6bpBucSh89Iq0inIgvHpFNz0bpAFTZV+VyydMzjfkY8k6IqL5ckr2aDsY
  218. vk6XLClJi6I2qeQx/czIrd+xCWcSJPLTcjtKwv0T01ThNVq+ev1NBUqU03STyaJa
  219. p14r4dIYxpZs13s+Mdkzr7R8uv4J5Y03AP90xj0CgYEA4j0W/ezBAE6QPbWHmNXl
  220. wU7uEZgj8fcaBTqfVCHdbDzKDuVyzqZ3wfHtN9FB5Z9ztdrSWIxUec5e99oOVxbQ
  221. rPfhQbF0rIpiKfY0bZtxpvwbLEQLdmelWo1vED6iccFf9RpxO+XbLGA14+IKgeoQ
  222. kP5j40oXcLaF/WlWiCU1k+UCgYEAgVFcgn5dLfAWmLMKt678iEbs3hvdmkwlVwAN
  223. KMoeK48Uy0pXiRtFJhldP+Y96tkIF8FVFYXWf5iIbtClv0wyxeaYV/VbHM+JCZ48
  224. GYpevy+ff1WmWBh7giE6zQwHo7O0VES2XG+T5qmpGbtjw2DNwWXes2N9eUoB8jhR
  225. jOBHBX0CgYEA6Ha3IdnpYyODII1W26gEPnBoUCk1ascsztAqDwikBgMY9605jxLi
  226. t3L261iTtN4kTd26nPTsNaJlEnKfm7Oqg1P3zpYLmC2JoFVrOyAZVhyfLACBMV9g
  227. Dy1qoA4qz5jjtwPQ0bsOpfE6/oXdIZZdgyi1CmVRMNF0z3KNs1LhLLU=
  228. -----END RSA PRIVATE KEY-----`
  229. // client 2 crt is revoked
  230. client2Crt = `-----BEGIN CERTIFICATE-----
  231. MIIEIDCCAgigAwIBAgIQdR8e0pQaWD/zrIw39ozHGzANBgkqhkiG9w0BAQsFADAT
  232. MREwDwYDVQQDEwhDZXJ0QXV0aDAeFw0yMzAxMDMxMDIzMTRaFw0zMzAxMDMxMDMw
  233. NDVaMBIxEDAOBgNVBAMTB2NsaWVudDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
  234. ggEKAoIBAQC/UZqUxeP15lhXBmPmpS5SdI470R75fxmN14FhYwTS3FsDoT+evqRg
  235. II4Qo/wqbaGrk/BsbzB7ToVWqpkyZ58hYPdtLjKtBBHYsSCNCoKZEVJTz5JdW3sj
  236. CKRsG3zPVhFjJcYW9pKsr/CGIIDWAfkuuwR+R/NHkUFSjEP5N9qMAc9wBvskxV84
  237. YAJJykPD9rG8PjXHOKsfNUhH+/QfbqMkCeETJ1sp66o3ilql2aZ0m6K6x4gB7tM7
  238. NZnM4eztLZbAnQVQhNBYCR6i7DGI2dujujPbpCqmSqSb42n+3a2o844k6EnU76HJ
  239. RZwhd3ypy9CvTdkya5JbK+aKKo8fGFHbAgMBAAGjcTBvMA4GA1UdDwEB/wQEAwID
  240. uDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFLItEDE1
  241. gVYfe7JSax5YAjEW8tmzMB8GA1UdIwQYMBaAFCj8lmcR7loB9zAP/feot1eIHWmI
  242. MA0GCSqGSIb3DQEBCwUAA4ICAQCZRStHCbwmhmH4tu7V5ammmQhn1TKcspV86cXz
  243. JQ4ZM11RvGpRLTmYuRkl5XloMuvB8yYAE1ihhkYOhgU6zSAj33kUQSx6cHXWau7T
  244. NjTchptKX+b17GR/yuFwIR3TugArBsnwyuUdts478gTY+MSgTOWWyOgWl3FujiEJ
  245. GJ7EgKde4jURXv2qjp6ZtSVqMlAa3y8C3S8nLdyt9Rf8CcSjEy/t8t0JhoMYCvxg
  246. o1k7QhMCfMYjjEIuEyDVOdCs2ExepG1zUVBP5h5239sXvLKrOZvgCZkslyTNd/m9
  247. vv4yR5gLgCdt0Ol1uip0p910PJoSqX6nZNfeCx3+Kgyc7crl8PrsnUAVoPgLxpVm
  248. FWF+KlUbh2KiYTuSi5cH0Ti9NtWT3Qi8d4WhmjFlu0zD3EJEUie0oYfHERiO9bVo
  249. 5EAzERSVhgQdxVOLgIc2Hbe1JYFf7idyqASRw6KdVkW6YIC/V/5efrJ1LZ5QNrdv
  250. bmfJ5CznE6o1AH9JsQ8xMi+kmyn/It1uMWIwP/tYyjQ98dlOj2k9CHP2RzrvCCY9
  251. yZNjs2QC5cleNdSpNMb2J2EUYTNAnaH3H8YdbT0scMHDvre1G7p4AjeuRJ9mW7VK
  252. Dcqbw+VdSAPyAFdiCd9x8AU3sr28vYbPbPp+LsHQXIlYdnVR0hh2UKF5lR8iuqVx
  253. y05cAQ==
  254. -----END CERTIFICATE-----`
  255. client2Key = `-----BEGIN RSA PRIVATE KEY-----
  256. MIIEpAIBAAKCAQEAv1GalMXj9eZYVwZj5qUuUnSOO9Ee+X8ZjdeBYWME0txbA6E/
  257. nr6kYCCOEKP8Km2hq5PwbG8we06FVqqZMmefIWD3bS4yrQQR2LEgjQqCmRFSU8+S
  258. XVt7IwikbBt8z1YRYyXGFvaSrK/whiCA1gH5LrsEfkfzR5FBUoxD+TfajAHPcAb7
  259. JMVfOGACScpDw/axvD41xzirHzVIR/v0H26jJAnhEydbKeuqN4papdmmdJuiuseI
  260. Ae7TOzWZzOHs7S2WwJ0FUITQWAkeouwxiNnbo7oz26Qqpkqkm+Np/t2tqPOOJOhJ
  261. 1O+hyUWcIXd8qcvQr03ZMmuSWyvmiiqPHxhR2wIDAQABAoIBAQCGAtE2uM8PJcRn
  262. YPCFVNr3ovEmcTszJJZvxq632rY8RWHzTvXTalKVivg4K8WsqpJ+LuhP7CqXlM7N
  263. gD5DElZi+RsXfS6+BoXBtYDJir0kHv/9+P3bKwM77QfPOgnY6b7QJlt1Jk5ja/Ic
  264. 4ZOdVFCJLTLeieOdE+AfxGSwozEQs9N3wBjPi6i5Rarc6i8HbuSemp/KfXrSR/Sh
  265. EFajk0l3nFVgr3VOLGsV/ieT6EW42p6ZA1ZBEi4sr4hN49zU2Vpj+lXBl/RhVGgM
  266. 6cSYJkOP98eD2t9cjHyZFqSw18/UqTNonMfoT2uvSNni9/jAouzkt7SwaPAqQpjE
  267. BfiJnK9RAoGBAMNdK6AhS+9ouQEP5v+9ubQ3AIEMYb+3uVR+1veCBqq49J0Z3tgk
  268. 7Ts5eflsYnddmtys+8CMnAvh+1EedK+X/MQyalQAUHke+llt94N+tHpSPDw/ZHOy
  269. koyLFg6efQr+626x6o33jqu+/9fu7Szxv41tmnCfh9hxGXda3aiWHsUdAoGBAPqz
  270. BQVWI7NOJmsiSB0OoDs+x3fqjp31IxEw63t+lDtSTTzxCU53sfie9vPsKdPFqR+d
  271. yNa5i5M8YDuaEjbN3hpuOpRWbfg2aPVyx3TNPp8bHNNUuJkCQ4Z2b0Imlv4Sycl+
  272. CCMMXvysIAomxkAZ3Q3BsSAZd2n+qvLvMt2jGZlXAoGAa/AhN1LOMpMojBauKSQ4
  273. 4wH0jFg79YHbqnx95rf3WQHhXJ87iS41yCAEbTNd39dexYfpfEPzv3j2sqXiEFYn
  274. +HpmVszpqVHdPeXM9+DcdCzVTPA1XtsNrwr1f9Q/AAFCMKGqFw/syqU3k6VVcxyK
  275. GeixiIILuyEZ0eDpUMjIbV0CgYBbwvLvhRwEIXLGfAHRQO09QjlYly4kevme7T0E
  276. Msym+fTzfXZelkk6K1VQ6vxUW2EQBXzhu4BvIAZJSpeoH6pQGlCuwwP1elTool6H
  277. TijBq/bdE4GN39o/eVI38FAMJ2xcqBjqWzjZW1dO3+poxA65XlAq46dl0KVZzlvb
  278. 7DsOeQKBgQCW8iELrECLQ9xhPbzqdNEOcI4wxEI8oDNLvUar/VnMrSUBxi/jo3j2
  279. 08IOKMKqSl+BX77ftgazhyL+hEgxlZuPKeqUuOWcNxuAs0vK6Gc5+Y9UpQEq78nH
  280. uaPG3o9EBDf5eFKi76o+pVtqxrwhY88M/Yw0ykEA6Nf7RCo2ucdemg==
  281. -----END RSA PRIVATE KEY-----`
  282. defaultAdminUsername = "admin"
  283. )
  284. var (
  285. configDir = filepath.Join(".", "..", "..")
  286. )
  287. type failingWriter struct {
  288. }
  289. func (r *failingWriter) Write(_ []byte) (n int, err error) {
  290. return 0, errors.New("write error")
  291. }
  292. func (r *failingWriter) WriteHeader(_ int) {}
  293. func (r *failingWriter) Header() http.Header {
  294. return make(http.Header)
  295. }
  296. func TestShouldBind(t *testing.T) {
  297. c := Conf{
  298. Bindings: []Binding{
  299. {
  300. Port: 10000,
  301. },
  302. },
  303. }
  304. require.False(t, c.ShouldBind())
  305. c.Bindings[0].EnableRESTAPI = true
  306. require.True(t, c.ShouldBind())
  307. c.Bindings[0].Port = 0
  308. require.False(t, c.ShouldBind())
  309. if runtime.GOOS != osWindows {
  310. c.Bindings[0].Address = "/absolute/path"
  311. require.True(t, c.ShouldBind())
  312. }
  313. }
  314. func TestBrandingValidation(t *testing.T) {
  315. b := Binding{
  316. Branding: Branding{
  317. WebAdmin: UIBranding{
  318. LogoPath: "path1",
  319. LoginImagePath: "login1.png",
  320. DefaultCSS: []string{"my.css"},
  321. },
  322. WebClient: UIBranding{
  323. FaviconPath: "favicon1.ico",
  324. DisclaimerPath: "../path2",
  325. ExtraCSS: []string{"1.css"},
  326. },
  327. },
  328. }
  329. b.checkBranding()
  330. assert.Equal(t, "/favicon.ico", b.Branding.WebAdmin.FaviconPath)
  331. assert.Equal(t, "/path1", b.Branding.WebAdmin.LogoPath)
  332. assert.Equal(t, "/login1.png", b.Branding.WebAdmin.LoginImagePath)
  333. assert.Equal(t, []string{"/my.css"}, b.Branding.WebAdmin.DefaultCSS)
  334. assert.Len(t, b.Branding.WebAdmin.ExtraCSS, 0)
  335. assert.Equal(t, "/favicon1.ico", b.Branding.WebClient.FaviconPath)
  336. assert.Equal(t, "/path2", b.Branding.WebClient.DisclaimerPath)
  337. assert.Equal(t, "/img/login_image.png", b.Branding.WebClient.LoginImagePath)
  338. if assert.Len(t, b.Branding.WebClient.ExtraCSS, 1) {
  339. assert.Equal(t, "/1.css", b.Branding.WebClient.ExtraCSS[0])
  340. }
  341. }
  342. func TestRedactedConf(t *testing.T) {
  343. c := Conf{
  344. SigningPassphrase: "passphrase",
  345. Setup: SetupConfig{
  346. InstallationCode: "123",
  347. },
  348. }
  349. redactedField := "[redacted]"
  350. redactedConf := c.getRedacted()
  351. assert.Equal(t, redactedField, redactedConf.SigningPassphrase)
  352. assert.Equal(t, redactedField, redactedConf.Setup.InstallationCode)
  353. assert.NotEqual(t, c.SigningPassphrase, redactedConf.SigningPassphrase)
  354. assert.NotEqual(t, c.Setup.InstallationCode, redactedConf.Setup.InstallationCode)
  355. }
  356. func TestGetRespStatus(t *testing.T) {
  357. var err error
  358. err = util.NewMethodDisabledError("")
  359. respStatus := getRespStatus(err)
  360. assert.Equal(t, http.StatusForbidden, respStatus)
  361. err = fmt.Errorf("generic error")
  362. respStatus = getRespStatus(err)
  363. assert.Equal(t, http.StatusInternalServerError, respStatus)
  364. respStatus = getRespStatus(plugin.ErrNoSearcher)
  365. assert.Equal(t, http.StatusNotImplemented, respStatus)
  366. }
  367. func TestMappedStatusCode(t *testing.T) {
  368. err := os.ErrPermission
  369. code := getMappedStatusCode(err)
  370. assert.Equal(t, http.StatusForbidden, code)
  371. err = os.ErrNotExist
  372. code = getMappedStatusCode(err)
  373. assert.Equal(t, http.StatusNotFound, code)
  374. err = common.ErrQuotaExceeded
  375. code = getMappedStatusCode(err)
  376. assert.Equal(t, http.StatusRequestEntityTooLarge, code)
  377. err = os.ErrClosed
  378. code = getMappedStatusCode(err)
  379. assert.Equal(t, http.StatusInternalServerError, code)
  380. err = &http.MaxBytesError{}
  381. code = getMappedStatusCode(err)
  382. assert.Equal(t, http.StatusRequestEntityTooLarge, code)
  383. }
  384. func TestGCSWebInvalidFormFile(t *testing.T) {
  385. form := make(url.Values)
  386. form.Set("username", "test_username")
  387. form.Set("fs_provider", "2")
  388. req, _ := http.NewRequest(http.MethodPost, webUserPath, strings.NewReader(form.Encode()))
  389. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  390. err := req.ParseForm()
  391. assert.NoError(t, err)
  392. _, err = getFsConfigFromPostFields(req)
  393. assert.EqualError(t, err, http.ErrNotMultipart.Error())
  394. }
  395. func TestInvalidToken(t *testing.T) {
  396. server := httpdServer{}
  397. server.initializeRouter()
  398. admin := dataprovider.Admin{
  399. Username: "admin",
  400. }
  401. errFake := errors.New("fake error")
  402. asJSON, err := json.Marshal(admin)
  403. assert.NoError(t, err)
  404. req, _ := http.NewRequest(http.MethodPut, path.Join(adminPath, admin.Username), bytes.NewBuffer(asJSON))
  405. rctx := chi.NewRouteContext()
  406. rctx.URLParams.Add("username", admin.Username)
  407. req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
  408. req = req.WithContext(context.WithValue(req.Context(), jwtauth.ErrorCtxKey, errFake))
  409. rr := httptest.NewRecorder()
  410. updateAdmin(rr, req)
  411. assert.Equal(t, http.StatusBadRequest, rr.Code)
  412. rr = httptest.NewRecorder()
  413. deleteAdmin(rr, req)
  414. assert.Equal(t, http.StatusBadRequest, rr.Code)
  415. adminPwd := pwdChange{
  416. CurrentPassword: "old",
  417. NewPassword: "new",
  418. }
  419. asJSON, err = json.Marshal(adminPwd)
  420. assert.NoError(t, err)
  421. req, _ = http.NewRequest(http.MethodPut, "", bytes.NewBuffer(asJSON))
  422. req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
  423. req = req.WithContext(context.WithValue(req.Context(), jwtauth.ErrorCtxKey, errFake))
  424. rr = httptest.NewRecorder()
  425. changeAdminPassword(rr, req)
  426. assert.Equal(t, http.StatusInternalServerError, rr.Code)
  427. adm := getAdminFromToken(req)
  428. assert.Empty(t, adm.Username)
  429. rr = httptest.NewRecorder()
  430. readUserFolder(rr, req)
  431. assert.Equal(t, http.StatusBadRequest, rr.Code)
  432. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  433. rr = httptest.NewRecorder()
  434. getUserFile(rr, req)
  435. assert.Equal(t, http.StatusBadRequest, rr.Code)
  436. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  437. rr = httptest.NewRecorder()
  438. getUserFilesAsZipStream(rr, req)
  439. assert.Equal(t, http.StatusBadRequest, rr.Code)
  440. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  441. rr = httptest.NewRecorder()
  442. getShares(rr, req)
  443. assert.Equal(t, http.StatusBadRequest, rr.Code)
  444. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  445. rr = httptest.NewRecorder()
  446. getShareByID(rr, req)
  447. assert.Equal(t, http.StatusBadRequest, rr.Code)
  448. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  449. rr = httptest.NewRecorder()
  450. addShare(rr, req)
  451. assert.Equal(t, http.StatusBadRequest, rr.Code)
  452. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  453. rr = httptest.NewRecorder()
  454. updateShare(rr, req)
  455. assert.Equal(t, http.StatusBadRequest, rr.Code)
  456. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  457. rr = httptest.NewRecorder()
  458. deleteShare(rr, req)
  459. assert.Equal(t, http.StatusBadRequest, rr.Code)
  460. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  461. rr = httptest.NewRecorder()
  462. generateTOTPSecret(rr, req)
  463. assert.Equal(t, http.StatusBadRequest, rr.Code)
  464. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  465. rr = httptest.NewRecorder()
  466. saveTOTPConfig(rr, req)
  467. assert.Equal(t, http.StatusBadRequest, rr.Code)
  468. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  469. rr = httptest.NewRecorder()
  470. getRecoveryCodes(rr, req)
  471. assert.Equal(t, http.StatusBadRequest, rr.Code)
  472. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  473. rr = httptest.NewRecorder()
  474. generateRecoveryCodes(rr, req)
  475. assert.Equal(t, http.StatusBadRequest, rr.Code)
  476. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  477. rr = httptest.NewRecorder()
  478. getUserProfile(rr, req)
  479. assert.Equal(t, http.StatusBadRequest, rr.Code)
  480. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  481. rr = httptest.NewRecorder()
  482. updateUserProfile(rr, req)
  483. assert.Equal(t, http.StatusBadRequest, rr.Code)
  484. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  485. rr = httptest.NewRecorder()
  486. getAdminProfile(rr, req)
  487. assert.Equal(t, http.StatusBadRequest, rr.Code)
  488. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  489. rr = httptest.NewRecorder()
  490. updateAdminProfile(rr, req)
  491. assert.Equal(t, http.StatusBadRequest, rr.Code)
  492. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  493. rr = httptest.NewRecorder()
  494. loadData(rr, req)
  495. assert.Equal(t, http.StatusBadRequest, rr.Code)
  496. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  497. rr = httptest.NewRecorder()
  498. loadDataFromRequest(rr, req)
  499. assert.Equal(t, http.StatusBadRequest, rr.Code)
  500. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  501. rr = httptest.NewRecorder()
  502. addUser(rr, req)
  503. assert.Equal(t, http.StatusBadRequest, rr.Code)
  504. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  505. rr = httptest.NewRecorder()
  506. disableUser2FA(rr, req)
  507. assert.Equal(t, http.StatusBadRequest, rr.Code)
  508. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  509. rr = httptest.NewRecorder()
  510. updateUser(rr, req)
  511. assert.Equal(t, http.StatusBadRequest, rr.Code)
  512. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  513. rr = httptest.NewRecorder()
  514. deleteUser(rr, req)
  515. assert.Equal(t, http.StatusBadRequest, rr.Code)
  516. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  517. rr = httptest.NewRecorder()
  518. getActiveConnections(rr, req)
  519. assert.Equal(t, http.StatusBadRequest, rr.Code)
  520. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  521. rr = httptest.NewRecorder()
  522. handleCloseConnection(rr, req)
  523. assert.Equal(t, http.StatusBadRequest, rr.Code)
  524. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  525. rr = httptest.NewRecorder()
  526. server.handleWebRestore(rr, req)
  527. assert.Equal(t, http.StatusBadRequest, rr.Code)
  528. assert.Contains(t, rr.Body.String(), "invalid token claims")
  529. rr = httptest.NewRecorder()
  530. server.handleWebAddUserPost(rr, req)
  531. assert.Equal(t, http.StatusBadRequest, rr.Code)
  532. assert.Contains(t, rr.Body.String(), "invalid token claims")
  533. rr = httptest.NewRecorder()
  534. server.handleWebUpdateUserPost(rr, req)
  535. assert.Equal(t, http.StatusBadRequest, rr.Code)
  536. assert.Contains(t, rr.Body.String(), "invalid token claims")
  537. rr = httptest.NewRecorder()
  538. server.handleWebTemplateFolderPost(rr, req)
  539. assert.Equal(t, http.StatusBadRequest, rr.Code)
  540. assert.Contains(t, rr.Body.String(), "invalid token claims")
  541. rr = httptest.NewRecorder()
  542. server.handleWebTemplateUserPost(rr, req)
  543. assert.Equal(t, http.StatusBadRequest, rr.Code)
  544. assert.Contains(t, rr.Body.String(), "invalid token claims")
  545. rr = httptest.NewRecorder()
  546. addFolder(rr, req)
  547. assert.Equal(t, http.StatusBadRequest, rr.Code)
  548. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  549. rr = httptest.NewRecorder()
  550. updateFolder(rr, req)
  551. assert.Equal(t, http.StatusBadRequest, rr.Code)
  552. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  553. rr = httptest.NewRecorder()
  554. getFolderByName(rr, req)
  555. assert.Equal(t, http.StatusBadRequest, rr.Code)
  556. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  557. rr = httptest.NewRecorder()
  558. deleteFolder(rr, req)
  559. assert.Equal(t, http.StatusBadRequest, rr.Code)
  560. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  561. rr = httptest.NewRecorder()
  562. server.handleWebAddFolderPost(rr, req)
  563. assert.Equal(t, http.StatusBadRequest, rr.Code)
  564. assert.Contains(t, rr.Body.String(), "invalid token claims")
  565. rr = httptest.NewRecorder()
  566. server.handleWebUpdateFolderPost(rr, req)
  567. assert.Equal(t, http.StatusBadRequest, rr.Code)
  568. assert.Contains(t, rr.Body.String(), "invalid token claims")
  569. rr = httptest.NewRecorder()
  570. server.handleWebGetConnections(rr, req)
  571. assert.Equal(t, http.StatusBadRequest, rr.Code)
  572. assert.Contains(t, rr.Body.String(), "invalid token claims")
  573. rr = httptest.NewRecorder()
  574. server.handleWebConfigsPost(rr, req)
  575. assert.Equal(t, http.StatusBadRequest, rr.Code)
  576. assert.Contains(t, rr.Body.String(), "invalid token claims")
  577. rr = httptest.NewRecorder()
  578. addAdmin(rr, req)
  579. assert.Equal(t, http.StatusBadRequest, rr.Code)
  580. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  581. rr = httptest.NewRecorder()
  582. disableAdmin2FA(rr, req)
  583. assert.Equal(t, http.StatusBadRequest, rr.Code)
  584. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  585. rr = httptest.NewRecorder()
  586. addAPIKey(rr, req)
  587. assert.Equal(t, http.StatusBadRequest, rr.Code)
  588. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  589. rr = httptest.NewRecorder()
  590. updateAPIKey(rr, req)
  591. assert.Equal(t, http.StatusBadRequest, rr.Code)
  592. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  593. rr = httptest.NewRecorder()
  594. deleteAPIKey(rr, req)
  595. assert.Equal(t, http.StatusBadRequest, rr.Code)
  596. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  597. rr = httptest.NewRecorder()
  598. addGroup(rr, req)
  599. assert.Equal(t, http.StatusBadRequest, rr.Code)
  600. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  601. rr = httptest.NewRecorder()
  602. updateGroup(rr, req)
  603. assert.Equal(t, http.StatusBadRequest, rr.Code)
  604. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  605. rr = httptest.NewRecorder()
  606. getGroupByName(rr, req)
  607. assert.Equal(t, http.StatusBadRequest, rr.Code)
  608. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  609. rr = httptest.NewRecorder()
  610. deleteGroup(rr, req)
  611. assert.Equal(t, http.StatusBadRequest, rr.Code)
  612. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  613. rr = httptest.NewRecorder()
  614. addEventAction(rr, req)
  615. assert.Equal(t, http.StatusBadRequest, rr.Code)
  616. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  617. rr = httptest.NewRecorder()
  618. getEventActionByName(rr, req)
  619. assert.Equal(t, http.StatusBadRequest, rr.Code)
  620. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  621. rr = httptest.NewRecorder()
  622. updateEventAction(rr, req)
  623. assert.Equal(t, http.StatusBadRequest, rr.Code)
  624. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  625. rr = httptest.NewRecorder()
  626. deleteEventAction(rr, req)
  627. assert.Equal(t, http.StatusBadRequest, rr.Code)
  628. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  629. rr = httptest.NewRecorder()
  630. getEventRuleByName(rr, req)
  631. assert.Equal(t, http.StatusBadRequest, rr.Code)
  632. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  633. rr = httptest.NewRecorder()
  634. addEventRule(rr, req)
  635. assert.Equal(t, http.StatusBadRequest, rr.Code)
  636. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  637. rr = httptest.NewRecorder()
  638. updateEventRule(rr, req)
  639. assert.Equal(t, http.StatusBadRequest, rr.Code)
  640. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  641. rr = httptest.NewRecorder()
  642. deleteEventRule(rr, req)
  643. assert.Equal(t, http.StatusBadRequest, rr.Code)
  644. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  645. rr = httptest.NewRecorder()
  646. getMetadataChecks(rr, req)
  647. assert.Equal(t, http.StatusBadRequest, rr.Code)
  648. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  649. rr = httptest.NewRecorder()
  650. startMetadataCheck(rr, req)
  651. assert.Equal(t, http.StatusBadRequest, rr.Code)
  652. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  653. rr = httptest.NewRecorder()
  654. getUsersQuotaScans(rr, req)
  655. assert.Equal(t, http.StatusBadRequest, rr.Code)
  656. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  657. rr = httptest.NewRecorder()
  658. updateUserTransferQuotaUsage(rr, req)
  659. assert.Equal(t, http.StatusBadRequest, rr.Code)
  660. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  661. rr = httptest.NewRecorder()
  662. doUpdateUserQuotaUsage(rr, req, "", quotaUsage{})
  663. assert.Equal(t, http.StatusBadRequest, rr.Code)
  664. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  665. rr = httptest.NewRecorder()
  666. doStartUserQuotaScan(rr, req, "")
  667. assert.Equal(t, http.StatusBadRequest, rr.Code)
  668. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  669. rr = httptest.NewRecorder()
  670. getRetentionChecks(rr, req)
  671. assert.Equal(t, http.StatusBadRequest, rr.Code)
  672. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  673. rr = httptest.NewRecorder()
  674. addRole(rr, req)
  675. assert.Equal(t, http.StatusBadRequest, rr.Code)
  676. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  677. rr = httptest.NewRecorder()
  678. updateRole(rr, req)
  679. assert.Equal(t, http.StatusBadRequest, rr.Code)
  680. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  681. rr = httptest.NewRecorder()
  682. deleteRole(rr, req)
  683. assert.Equal(t, http.StatusBadRequest, rr.Code)
  684. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  685. rr = httptest.NewRecorder()
  686. getUsers(rr, req)
  687. assert.Equal(t, http.StatusBadRequest, rr.Code)
  688. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  689. rr = httptest.NewRecorder()
  690. getUserByUsername(rr, req)
  691. assert.Equal(t, http.StatusBadRequest, rr.Code)
  692. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  693. rr = httptest.NewRecorder()
  694. searchFsEvents(rr, req)
  695. assert.Equal(t, http.StatusBadRequest, rr.Code)
  696. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  697. rr = httptest.NewRecorder()
  698. searchProviderEvents(rr, req)
  699. assert.Equal(t, http.StatusBadRequest, rr.Code)
  700. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  701. rr = httptest.NewRecorder()
  702. searchLogEvents(rr, req)
  703. assert.Equal(t, http.StatusBadRequest, rr.Code)
  704. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  705. rr = httptest.NewRecorder()
  706. addIPListEntry(rr, req)
  707. assert.Equal(t, http.StatusBadRequest, rr.Code)
  708. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  709. rr = httptest.NewRecorder()
  710. updateIPListEntry(rr, req)
  711. assert.Equal(t, http.StatusBadRequest, rr.Code)
  712. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  713. rr = httptest.NewRecorder()
  714. deleteIPListEntry(rr, req)
  715. assert.Equal(t, http.StatusBadRequest, rr.Code)
  716. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  717. rr = httptest.NewRecorder()
  718. server.handleGetWebUsers(rr, req)
  719. assert.Equal(t, http.StatusBadRequest, rr.Code)
  720. assert.Contains(t, rr.Body.String(), "invalid token claims")
  721. rr = httptest.NewRecorder()
  722. server.handleWebUpdateUserGet(rr, req)
  723. assert.Equal(t, http.StatusBadRequest, rr.Code)
  724. assert.Contains(t, rr.Body.String(), "invalid token claims")
  725. rr = httptest.NewRecorder()
  726. server.handleWebUpdateRolePost(rr, req)
  727. assert.Equal(t, http.StatusBadRequest, rr.Code)
  728. assert.Contains(t, rr.Body.String(), "invalid token claims")
  729. rr = httptest.NewRecorder()
  730. server.handleWebAddRolePost(rr, req)
  731. assert.Equal(t, http.StatusBadRequest, rr.Code)
  732. assert.Contains(t, rr.Body.String(), "invalid token claims")
  733. rr = httptest.NewRecorder()
  734. server.handleWebAddAdminPost(rr, req)
  735. assert.Equal(t, http.StatusBadRequest, rr.Code)
  736. assert.Contains(t, rr.Body.String(), "invalid token claims")
  737. rr = httptest.NewRecorder()
  738. server.handleWebAddGroupPost(rr, req)
  739. assert.Equal(t, http.StatusBadRequest, rr.Code)
  740. assert.Contains(t, rr.Body.String(), "invalid token claims")
  741. rr = httptest.NewRecorder()
  742. server.handleWebUpdateGroupPost(rr, req)
  743. assert.Equal(t, http.StatusBadRequest, rr.Code)
  744. assert.Contains(t, rr.Body.String(), "invalid token claims")
  745. rr = httptest.NewRecorder()
  746. server.handleWebAddEventActionPost(rr, req)
  747. assert.Equal(t, http.StatusBadRequest, rr.Code)
  748. assert.Contains(t, rr.Body.String(), "invalid token claims")
  749. rr = httptest.NewRecorder()
  750. server.handleWebUpdateEventActionPost(rr, req)
  751. assert.Equal(t, http.StatusBadRequest, rr.Code)
  752. assert.Contains(t, rr.Body.String(), "invalid token claims")
  753. rr = httptest.NewRecorder()
  754. server.handleWebAddEventRulePost(rr, req)
  755. assert.Equal(t, http.StatusBadRequest, rr.Code)
  756. assert.Contains(t, rr.Body.String(), "invalid token claims")
  757. rr = httptest.NewRecorder()
  758. server.handleWebUpdateEventRulePost(rr, req)
  759. assert.Equal(t, http.StatusBadRequest, rr.Code)
  760. assert.Contains(t, rr.Body.String(), "invalid token claims")
  761. rr = httptest.NewRecorder()
  762. server.handleWebUpdateIPListEntryPost(rr, req)
  763. assert.Equal(t, http.StatusBadRequest, rr.Code)
  764. assert.Contains(t, rr.Body.String(), "invalid token claims")
  765. rr = httptest.NewRecorder()
  766. server.handleWebClientTwoFactorRecoveryPost(rr, req)
  767. assert.Equal(t, http.StatusNotFound, rr.Code)
  768. rr = httptest.NewRecorder()
  769. server.handleWebClientTwoFactorPost(rr, req)
  770. assert.Equal(t, http.StatusNotFound, rr.Code)
  771. rr = httptest.NewRecorder()
  772. server.handleWebAdminTwoFactorRecoveryPost(rr, req)
  773. assert.Equal(t, http.StatusNotFound, rr.Code)
  774. rr = httptest.NewRecorder()
  775. server.handleWebAdminTwoFactorPost(rr, req)
  776. assert.Equal(t, http.StatusNotFound, rr.Code)
  777. rr = httptest.NewRecorder()
  778. server.handleWebUpdateIPListEntryPost(rr, req)
  779. assert.Equal(t, http.StatusBadRequest, rr.Code)
  780. assert.Contains(t, rr.Body.String(), "invalid token claims")
  781. form := make(url.Values)
  782. req, _ = http.NewRequest(http.MethodPost, webIPListPath+"/1", bytes.NewBuffer([]byte(form.Encode())))
  783. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  784. rctx = chi.NewRouteContext()
  785. rctx.URLParams.Add("type", "1")
  786. req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
  787. rr = httptest.NewRecorder()
  788. server.handleWebAddIPListEntryPost(rr, req)
  789. assert.Equal(t, http.StatusBadRequest, rr.Code, rr.Body.String())
  790. assert.Contains(t, rr.Body.String(), "invalid token claims")
  791. }
  792. func TestUpdateWebAdminInvalidClaims(t *testing.T) {
  793. server := httpdServer{}
  794. server.initializeRouter()
  795. rr := httptest.NewRecorder()
  796. admin := dataprovider.Admin{
  797. Username: "",
  798. Password: "password",
  799. }
  800. c := jwtTokenClaims{
  801. Username: admin.Username,
  802. Permissions: admin.Permissions,
  803. Signature: admin.GetSignature(),
  804. }
  805. token, err := c.createTokenResponse(server.tokenAuth, tokenAudienceWebAdmin, "")
  806. assert.NoError(t, err)
  807. form := make(url.Values)
  808. form.Set(csrfFormToken, createCSRFToken(""))
  809. form.Set("status", "1")
  810. form.Set("default_users_expiration", "30")
  811. req, _ := http.NewRequest(http.MethodPost, path.Join(webAdminPath, "admin"), bytes.NewBuffer([]byte(form.Encode())))
  812. rctx := chi.NewRouteContext()
  813. rctx.URLParams.Add("username", "admin")
  814. req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
  815. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  816. req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
  817. server.handleWebUpdateAdminPost(rr, req)
  818. assert.Equal(t, http.StatusOK, rr.Code)
  819. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  820. }
  821. func TestRetentionInvalidTokenClaims(t *testing.T) {
  822. username := "retentionuser"
  823. user := dataprovider.User{
  824. BaseUser: sdk.BaseUser{
  825. Username: username,
  826. Password: "pwd",
  827. HomeDir: filepath.Join(os.TempDir(), username),
  828. Status: 1,
  829. },
  830. }
  831. user.Permissions = make(map[string][]string)
  832. user.Permissions["/"] = []string{dataprovider.PermAny}
  833. user.Filters.AllowAPIKeyAuth = true
  834. err := dataprovider.AddUser(&user, "", "", "")
  835. assert.NoError(t, err)
  836. folderRetention := []dataprovider.FolderRetention{
  837. {
  838. Path: "/",
  839. Retention: 0,
  840. DeleteEmptyDirs: true,
  841. },
  842. }
  843. asJSON, err := json.Marshal(folderRetention)
  844. assert.NoError(t, err)
  845. req, _ := http.NewRequest(http.MethodPost, retentionBasePath+"/"+username+"/check?notifications=Email", bytes.NewBuffer(asJSON))
  846. rctx := chi.NewRouteContext()
  847. rctx.URLParams.Add("username", username)
  848. req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
  849. req = req.WithContext(context.WithValue(req.Context(), jwtauth.ErrorCtxKey, errors.New("error")))
  850. rr := httptest.NewRecorder()
  851. startRetentionCheck(rr, req)
  852. assert.Equal(t, http.StatusBadRequest, rr.Code)
  853. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  854. err = dataprovider.DeleteUser(username, "", "", "")
  855. assert.NoError(t, err)
  856. }
  857. func TestUpdateSMTPSecrets(t *testing.T) {
  858. currentConfigs := &dataprovider.SMTPConfigs{
  859. OAuth2: dataprovider.SMTPOAuth2{
  860. ClientSecret: kms.NewPlainSecret("client secret"),
  861. RefreshToken: kms.NewPlainSecret("refresh token"),
  862. },
  863. }
  864. redactedClientSecret := kms.NewPlainSecret("secret")
  865. redactedRefreshToken := kms.NewPlainSecret("token")
  866. redactedClientSecret.SetStatus(sdkkms.SecretStatusRedacted)
  867. redactedRefreshToken.SetStatus(sdkkms.SecretStatusRedacted)
  868. newConfigs := &dataprovider.SMTPConfigs{
  869. Password: kms.NewPlainSecret("pwd"),
  870. OAuth2: dataprovider.SMTPOAuth2{
  871. ClientSecret: redactedClientSecret,
  872. RefreshToken: redactedRefreshToken,
  873. },
  874. }
  875. updateSMTPSecrets(newConfigs, currentConfigs)
  876. assert.Nil(t, currentConfigs.Password)
  877. assert.NotNil(t, newConfigs.Password)
  878. assert.Equal(t, currentConfigs.OAuth2.ClientSecret, newConfigs.OAuth2.ClientSecret)
  879. assert.Equal(t, currentConfigs.OAuth2.RefreshToken, newConfigs.OAuth2.RefreshToken)
  880. clientSecret := kms.NewPlainSecret("plain secret")
  881. refreshToken := kms.NewPlainSecret("plain token")
  882. newConfigs = &dataprovider.SMTPConfigs{
  883. Password: kms.NewPlainSecret("pwd"),
  884. OAuth2: dataprovider.SMTPOAuth2{
  885. ClientSecret: clientSecret,
  886. RefreshToken: refreshToken,
  887. },
  888. }
  889. updateSMTPSecrets(newConfigs, currentConfigs)
  890. assert.Equal(t, clientSecret, newConfigs.OAuth2.ClientSecret)
  891. assert.Equal(t, refreshToken, newConfigs.OAuth2.RefreshToken)
  892. }
  893. func TestOAuth2Redirect(t *testing.T) {
  894. server := httpdServer{}
  895. server.initializeRouter()
  896. rr := httptest.NewRecorder()
  897. req, err := http.NewRequest(http.MethodGet, webOAuth2RedirectPath+"?state=invalid", nil)
  898. assert.NoError(t, err)
  899. server.handleOAuth2TokenRedirect(rr, req)
  900. assert.Equal(t, http.StatusBadRequest, rr.Code)
  901. assert.Contains(t, rr.Body.String(), "token is unauthorized")
  902. ip := "127.1.1.4"
  903. tokenString := createOAuth2Token(xid.New().String(), ip)
  904. rr = httptest.NewRecorder()
  905. req, err = http.NewRequest(http.MethodGet, webOAuth2RedirectPath+"?state="+tokenString, nil) //nolint:goconst
  906. assert.NoError(t, err)
  907. req.RemoteAddr = ip
  908. server.handleOAuth2TokenRedirect(rr, req)
  909. assert.Equal(t, http.StatusInternalServerError, rr.Code)
  910. assert.Contains(t, rr.Body.String(), "no auth request found for the specified state")
  911. }
  912. func TestOAuth2Token(t *testing.T) {
  913. // invalid token
  914. _, err := verifyOAuth2Token("token", "")
  915. if assert.Error(t, err) {
  916. assert.Contains(t, err.Error(), "unable to verify OAuth2 state")
  917. }
  918. // bad audience
  919. claims := make(map[string]any)
  920. now := time.Now().UTC()
  921. claims[jwt.JwtIDKey] = xid.New().String()
  922. claims[jwt.NotBeforeKey] = now.Add(-30 * time.Second)
  923. claims[jwt.ExpirationKey] = now.Add(tokenDuration)
  924. claims[jwt.AudienceKey] = []string{tokenAudienceAPI}
  925. _, tokenString, err := csrfTokenAuth.Encode(claims)
  926. assert.NoError(t, err)
  927. _, err = verifyOAuth2Token(tokenString, "")
  928. if assert.Error(t, err) {
  929. assert.Contains(t, err.Error(), "invalid OAuth2 state")
  930. }
  931. // bad IP
  932. tokenString = createOAuth2Token("state", "127.1.1.1")
  933. _, err = verifyOAuth2Token(tokenString, "127.1.1.2")
  934. if assert.Error(t, err) {
  935. assert.Contains(t, err.Error(), "invalid OAuth2 state")
  936. }
  937. // ok
  938. state := xid.New().String()
  939. tokenString = createOAuth2Token(state, "127.1.1.3")
  940. s, err := verifyOAuth2Token(tokenString, "127.1.1.3")
  941. assert.NoError(t, err)
  942. assert.Equal(t, state, s)
  943. // no jti
  944. claims = make(map[string]any)
  945. claims[jwt.NotBeforeKey] = now.Add(-30 * time.Second)
  946. claims[jwt.ExpirationKey] = now.Add(tokenDuration)
  947. claims[jwt.AudienceKey] = []string{tokenAudienceOAuth2, "127.1.1.4"}
  948. _, tokenString, err = csrfTokenAuth.Encode(claims)
  949. assert.NoError(t, err)
  950. _, err = verifyOAuth2Token(tokenString, "127.1.1.4")
  951. if assert.Error(t, err) {
  952. assert.Contains(t, err.Error(), "invalid OAuth2 state")
  953. }
  954. // encode error
  955. csrfTokenAuth = jwtauth.New("HT256", util.GenerateRandomBytes(32), nil)
  956. tokenString = createOAuth2Token(xid.New().String(), "")
  957. assert.Empty(t, tokenString)
  958. server := httpdServer{}
  959. server.initializeRouter()
  960. rr := httptest.NewRecorder()
  961. testReq := make(map[string]any)
  962. testReq["base_redirect_url"] = "http://localhost:8082"
  963. asJSON, err := json.Marshal(testReq)
  964. assert.NoError(t, err)
  965. req, err := http.NewRequest(http.MethodPost, webOAuth2TokenPath, bytes.NewBuffer(asJSON))
  966. assert.NoError(t, err)
  967. handleSMTPOAuth2TokenRequestPost(rr, req)
  968. assert.Equal(t, http.StatusInternalServerError, rr.Code)
  969. assert.Contains(t, rr.Body.String(), "unable to create state token")
  970. csrfTokenAuth = jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil)
  971. }
  972. func TestCSRFToken(t *testing.T) {
  973. // invalid token
  974. err := verifyCSRFToken("token", "")
  975. if assert.Error(t, err) {
  976. assert.Contains(t, err.Error(), "unable to verify form token")
  977. }
  978. // bad audience
  979. claims := make(map[string]any)
  980. now := time.Now().UTC()
  981. claims[jwt.JwtIDKey] = xid.New().String()
  982. claims[jwt.NotBeforeKey] = now.Add(-30 * time.Second)
  983. claims[jwt.ExpirationKey] = now.Add(tokenDuration)
  984. claims[jwt.AudienceKey] = []string{tokenAudienceAPI}
  985. _, tokenString, err := csrfTokenAuth.Encode(claims)
  986. assert.NoError(t, err)
  987. err = verifyCSRFToken(tokenString, "")
  988. if assert.Error(t, err) {
  989. assert.Contains(t, err.Error(), "form token is not valid")
  990. }
  991. // bad IP
  992. tokenString = createCSRFToken("127.1.1.1")
  993. err = verifyCSRFToken(tokenString, "127.1.1.2")
  994. if assert.Error(t, err) {
  995. assert.Contains(t, err.Error(), "form token is not valid")
  996. }
  997. claims[jwt.JwtIDKey] = xid.New().String()
  998. claims[jwt.NotBeforeKey] = now.Add(-30 * time.Second)
  999. claims[jwt.ExpirationKey] = now.Add(tokenDuration)
  1000. claims[jwt.AudienceKey] = []string{tokenAudienceAPI}
  1001. _, tokenString, err = csrfTokenAuth.Encode(claims)
  1002. assert.NoError(t, err)
  1003. r := GetHTTPRouter(Binding{
  1004. Address: "",
  1005. Port: 8080,
  1006. EnableWebAdmin: true,
  1007. EnableWebClient: true,
  1008. EnableRESTAPI: true,
  1009. RenderOpenAPI: true,
  1010. })
  1011. fn := verifyCSRFHeader(r)
  1012. rr := httptest.NewRecorder()
  1013. req, _ := http.NewRequest(http.MethodDelete, path.Join(userPath, "username"), nil)
  1014. fn.ServeHTTP(rr, req)
  1015. assert.Equal(t, http.StatusForbidden, rr.Code)
  1016. assert.Contains(t, rr.Body.String(), "Invalid token")
  1017. // invalid audience
  1018. req.Header.Set(csrfHeaderToken, tokenString)
  1019. rr = httptest.NewRecorder()
  1020. fn.ServeHTTP(rr, req)
  1021. assert.Equal(t, http.StatusForbidden, rr.Code)
  1022. assert.Contains(t, rr.Body.String(), "the token is not valid")
  1023. // invalid IP
  1024. tokenString = createCSRFToken("172.16.1.2")
  1025. req.Header.Set(csrfHeaderToken, tokenString)
  1026. rr = httptest.NewRecorder()
  1027. fn.ServeHTTP(rr, req)
  1028. assert.Equal(t, http.StatusForbidden, rr.Code)
  1029. assert.Contains(t, rr.Body.String(), "the token is not valid")
  1030. csrfTokenAuth = jwtauth.New("PS256", util.GenerateRandomBytes(32), nil)
  1031. tokenString = createCSRFToken("")
  1032. assert.Empty(t, tokenString)
  1033. csrfTokenAuth = jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil)
  1034. }
  1035. func TestCreateShareCookieError(t *testing.T) {
  1036. username := "share_user"
  1037. pwd := util.GenerateUniqueID()
  1038. user := &dataprovider.User{
  1039. BaseUser: sdk.BaseUser{
  1040. Username: username,
  1041. Password: pwd,
  1042. HomeDir: filepath.Join(os.TempDir(), username),
  1043. Status: 1,
  1044. Permissions: map[string][]string{
  1045. "/": {dataprovider.PermAny},
  1046. },
  1047. },
  1048. }
  1049. err := dataprovider.AddUser(user, "", "", "")
  1050. assert.NoError(t, err)
  1051. share := &dataprovider.Share{
  1052. Name: "test share cookie error",
  1053. ShareID: util.GenerateUniqueID(),
  1054. Scope: dataprovider.ShareScopeRead,
  1055. Password: pwd,
  1056. Paths: []string{"/"},
  1057. Username: username,
  1058. }
  1059. err = dataprovider.AddShare(share, "", "", "")
  1060. assert.NoError(t, err)
  1061. server := httpdServer{
  1062. tokenAuth: jwtauth.New("TS256", util.GenerateRandomBytes(32), nil),
  1063. }
  1064. form := make(url.Values)
  1065. form.Set("share_password", pwd)
  1066. form.Set(csrfFormToken, createCSRFToken("127.0.0.1"))
  1067. rctx := chi.NewRouteContext()
  1068. rctx.URLParams.Add("id", share.ShareID)
  1069. rr := httptest.NewRecorder()
  1070. req, err := http.NewRequest(http.MethodPost, path.Join(webClientPubSharesPath, share.ShareID, "login"),
  1071. bytes.NewBuffer([]byte(form.Encode())))
  1072. assert.NoError(t, err)
  1073. req.RemoteAddr = "127.0.0.1:2345"
  1074. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1075. req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
  1076. server.handleClientShareLoginPost(rr, req)
  1077. assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
  1078. assert.Contains(t, rr.Body.String(), common.ErrInternalFailure.Error())
  1079. err = dataprovider.DeleteUser(username, "", "", "")
  1080. assert.NoError(t, err)
  1081. }
  1082. func TestCreateTokenError(t *testing.T) {
  1083. server := httpdServer{
  1084. tokenAuth: jwtauth.New("PS256", util.GenerateRandomBytes(32), nil),
  1085. }
  1086. rr := httptest.NewRecorder()
  1087. admin := dataprovider.Admin{
  1088. Username: defaultAdminUsername,
  1089. Password: "password",
  1090. }
  1091. req, _ := http.NewRequest(http.MethodGet, tokenPath, nil)
  1092. server.generateAndSendToken(rr, req, admin, "")
  1093. assert.Equal(t, http.StatusInternalServerError, rr.Code)
  1094. rr = httptest.NewRecorder()
  1095. user := dataprovider.User{
  1096. BaseUser: sdk.BaseUser{
  1097. Username: "u",
  1098. Password: util.GenerateUniqueID(),
  1099. },
  1100. }
  1101. req, _ = http.NewRequest(http.MethodGet, userTokenPath, nil)
  1102. server.generateAndSendUserToken(rr, req, "", user)
  1103. assert.Equal(t, http.StatusInternalServerError, rr.Code)
  1104. rr = httptest.NewRecorder()
  1105. form := make(url.Values)
  1106. form.Set("username", admin.Username)
  1107. form.Set("password", admin.Password)
  1108. form.Set(csrfFormToken, createCSRFToken("127.0.0.1"))
  1109. req, _ = http.NewRequest(http.MethodPost, webAdminLoginPath, bytes.NewBuffer([]byte(form.Encode())))
  1110. req.RemoteAddr = "127.0.0.1:1234"
  1111. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1112. server.handleWebAdminLoginPost(rr, req)
  1113. assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
  1114. // req with no content type
  1115. req, _ = http.NewRequest(http.MethodPost, webAdminLoginPath, nil)
  1116. rr = httptest.NewRecorder()
  1117. server.handleWebAdminLoginPost(rr, req)
  1118. assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
  1119. req, _ = http.NewRequest(http.MethodPost, webAdminSetupPath, nil)
  1120. rr = httptest.NewRecorder()
  1121. server.loginAdmin(rr, req, &admin, false, nil, "")
  1122. // req with no POST body
  1123. req, _ = http.NewRequest(http.MethodGet, webAdminLoginPath+"?a=a%C3%AO%GG", nil)
  1124. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1125. rr = httptest.NewRecorder()
  1126. server.handleWebAdminLoginPost(rr, req)
  1127. assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
  1128. req, _ = http.NewRequest(http.MethodGet, webAdminLoginPath+"?a=a%C3%A1%G2", nil)
  1129. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1130. rr = httptest.NewRecorder()
  1131. server.handleWebAdminChangePwdPost(rr, req)
  1132. assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
  1133. assert.Contains(t, rr.Body.String(), "invalid URL escape")
  1134. req, _ = http.NewRequest(http.MethodGet, webAdminLoginPath+"?a=a%C3%A2%G3", nil)
  1135. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1136. _, err := getAdminFromPostFields(req)
  1137. assert.Error(t, err)
  1138. req, _ = http.NewRequest(http.MethodPost, webAdminEventActionPath+"?a=a%C3%A2%GG", nil)
  1139. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1140. _, err = getEventActionFromPostFields(req)
  1141. assert.Error(t, err)
  1142. req, _ = http.NewRequest(http.MethodPost, webAdminEventRulePath+"?a=a%C3%A3%GG", nil)
  1143. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1144. _, err = getEventRuleFromPostFields(req)
  1145. assert.Error(t, err)
  1146. req, _ = http.NewRequest(http.MethodPost, webIPListPath+"/1?a=a%C3%AO%GG", nil)
  1147. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1148. _, err = getIPListEntryFromPostFields(req, dataprovider.IPListTypeAllowList)
  1149. assert.Error(t, err)
  1150. req, _ = http.NewRequest(http.MethodPost, path.Join(webClientSharePath, "shareID", "login?a=a%C3%AO%GG"), bytes.NewBuffer([]byte(form.Encode())))
  1151. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1152. rr = httptest.NewRecorder()
  1153. server.handleClientShareLoginPost(rr, req)
  1154. assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
  1155. req, _ = http.NewRequest(http.MethodPost, webClientLoginPath+"?a=a%C3%AO%GG", bytes.NewBuffer([]byte(form.Encode())))
  1156. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1157. rr = httptest.NewRecorder()
  1158. server.handleWebClientLoginPost(rr, req)
  1159. assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
  1160. req, _ = http.NewRequest(http.MethodPost, webChangeClientPwdPath+"?a=a%C3%AO%GA", bytes.NewBuffer([]byte(form.Encode())))
  1161. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1162. rr = httptest.NewRecorder()
  1163. server.handleWebClientChangePwdPost(rr, req)
  1164. assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
  1165. assert.Contains(t, rr.Body.String(), "invalid URL escape")
  1166. req, _ = http.NewRequest(http.MethodPost, webClientProfilePath+"?a=a%C3%AO%GB", bytes.NewBuffer([]byte(form.Encode())))
  1167. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1168. rr = httptest.NewRecorder()
  1169. server.handleWebClientProfilePost(rr, req)
  1170. assert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String())
  1171. req, _ = http.NewRequest(http.MethodPost, webAdminProfilePath+"?a=a%C3%AO%GB", bytes.NewBuffer([]byte(form.Encode())))
  1172. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1173. rr = httptest.NewRecorder()
  1174. server.handleWebAdminProfilePost(rr, req)
  1175. assert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String())
  1176. req, _ = http.NewRequest(http.MethodPost, webAdminTwoFactorPath+"?a=a%C3%AO%GC", bytes.NewBuffer([]byte(form.Encode())))
  1177. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1178. rr = httptest.NewRecorder()
  1179. server.handleWebAdminTwoFactorPost(rr, req)
  1180. assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
  1181. assert.Contains(t, rr.Body.String(), "invalid URL escape")
  1182. req, _ = http.NewRequest(http.MethodPost, webAdminTwoFactorRecoveryPath+"?a=a%C3%AO%GD", bytes.NewBuffer([]byte(form.Encode())))
  1183. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1184. rr = httptest.NewRecorder()
  1185. server.handleWebAdminTwoFactorRecoveryPost(rr, req)
  1186. assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
  1187. assert.Contains(t, rr.Body.String(), "invalid URL escape")
  1188. req, _ = http.NewRequest(http.MethodPost, webClientTwoFactorPath+"?a=a%C3%AO%GC", bytes.NewBuffer([]byte(form.Encode())))
  1189. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1190. rr = httptest.NewRecorder()
  1191. server.handleWebClientTwoFactorPost(rr, req)
  1192. assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
  1193. assert.Contains(t, rr.Body.String(), "invalid URL escape")
  1194. req, _ = http.NewRequest(http.MethodPost, webClientTwoFactorRecoveryPath+"?a=a%C3%AO%GD", bytes.NewBuffer([]byte(form.Encode())))
  1195. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1196. rr = httptest.NewRecorder()
  1197. server.handleWebClientTwoFactorRecoveryPost(rr, req)
  1198. assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
  1199. assert.Contains(t, rr.Body.String(), "invalid URL escape")
  1200. req, _ = http.NewRequest(http.MethodPost, webAdminForgotPwdPath+"?a=a%C3%A1%GD", bytes.NewBuffer([]byte(form.Encode())))
  1201. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1202. rr = httptest.NewRecorder()
  1203. server.handleWebAdminForgotPwdPost(rr, req)
  1204. assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
  1205. assert.Contains(t, rr.Body.String(), "invalid URL escape")
  1206. req, _ = http.NewRequest(http.MethodPost, webClientForgotPwdPath+"?a=a%C2%A1%GD", bytes.NewBuffer([]byte(form.Encode())))
  1207. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1208. rr = httptest.NewRecorder()
  1209. server.handleWebClientForgotPwdPost(rr, req)
  1210. assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
  1211. assert.Contains(t, rr.Body.String(), "invalid URL escape")
  1212. req, _ = http.NewRequest(http.MethodPost, webAdminResetPwdPath+"?a=a%C3%AO%JD", bytes.NewBuffer([]byte(form.Encode())))
  1213. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1214. rr = httptest.NewRecorder()
  1215. server.handleWebAdminPasswordResetPost(rr, req)
  1216. assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
  1217. assert.Contains(t, rr.Body.String(), "invalid URL escape")
  1218. req, _ = http.NewRequest(http.MethodPost, webAdminRolePath+"?a=a%C3%AO%JE", bytes.NewBuffer([]byte(form.Encode())))
  1219. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1220. rr = httptest.NewRecorder()
  1221. server.handleWebAddRolePost(rr, req)
  1222. assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
  1223. assert.Contains(t, rr.Body.String(), "invalid URL escape")
  1224. req, _ = http.NewRequest(http.MethodPost, webClientResetPwdPath+"?a=a%C3%AO%JD", bytes.NewBuffer([]byte(form.Encode())))
  1225. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1226. rr = httptest.NewRecorder()
  1227. server.handleWebClientPasswordResetPost(rr, req)
  1228. assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
  1229. assert.Contains(t, rr.Body.String(), "invalid URL escape")
  1230. req, _ = http.NewRequest(http.MethodPost, webChangeClientPwdPath+"?a=a%K3%AO%GA", bytes.NewBuffer([]byte(form.Encode())))
  1231. _, err = getShareFromPostFields(req)
  1232. if assert.Error(t, err) {
  1233. assert.Contains(t, err.Error(), "invalid URL escape")
  1234. }
  1235. username := "webclientuser"
  1236. user = dataprovider.User{
  1237. BaseUser: sdk.BaseUser{
  1238. Username: username,
  1239. Password: "clientpwd",
  1240. HomeDir: filepath.Join(os.TempDir(), username),
  1241. Status: 1,
  1242. Description: "test user",
  1243. },
  1244. }
  1245. user.Permissions = make(map[string][]string)
  1246. user.Permissions["/"] = []string{dataprovider.PermAny}
  1247. user.Filters.AllowAPIKeyAuth = true
  1248. err = dataprovider.AddUser(&user, "", "", "")
  1249. assert.NoError(t, err)
  1250. rr = httptest.NewRecorder()
  1251. form = make(url.Values)
  1252. form.Set("username", user.Username)
  1253. form.Set("password", "clientpwd")
  1254. form.Set(csrfFormToken, createCSRFToken("127.0.0.1"))
  1255. req, _ = http.NewRequest(http.MethodPost, webClientLoginPath, bytes.NewBuffer([]byte(form.Encode())))
  1256. req.RemoteAddr = "127.0.0.1:4567"
  1257. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1258. server.handleWebClientLoginPost(rr, req)
  1259. assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
  1260. err = authenticateUserWithAPIKey(username, "", server.tokenAuth, req)
  1261. assert.Error(t, err)
  1262. err = dataprovider.DeleteUser(username, "", "", "")
  1263. assert.NoError(t, err)
  1264. err = os.RemoveAll(user.HomeDir)
  1265. assert.NoError(t, err)
  1266. admin.Username += "1"
  1267. admin.Status = 1
  1268. admin.Filters.AllowAPIKeyAuth = true
  1269. admin.Permissions = []string{dataprovider.PermAdminAny}
  1270. err = dataprovider.AddAdmin(&admin, "", "", "")
  1271. assert.NoError(t, err)
  1272. err = authenticateAdminWithAPIKey(admin.Username, "", server.tokenAuth, req)
  1273. assert.Error(t, err)
  1274. err = dataprovider.DeleteAdmin(admin.Username, "", "", "")
  1275. assert.NoError(t, err)
  1276. }
  1277. func TestAPIKeyAuthForbidden(t *testing.T) {
  1278. r := GetHTTPRouter(Binding{
  1279. Address: "",
  1280. Port: 8080,
  1281. EnableWebAdmin: true,
  1282. EnableWebClient: true,
  1283. EnableRESTAPI: true,
  1284. RenderOpenAPI: true,
  1285. })
  1286. fn := forbidAPIKeyAuthentication(r)
  1287. rr := httptest.NewRecorder()
  1288. req, _ := http.NewRequest(http.MethodGet, versionPath, nil)
  1289. fn.ServeHTTP(rr, req)
  1290. assert.Equal(t, http.StatusBadRequest, rr.Code)
  1291. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  1292. }
  1293. func TestJWTTokenValidation(t *testing.T) {
  1294. tokenAuth := jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil)
  1295. claims := make(map[string]any)
  1296. claims["username"] = defaultAdminUsername
  1297. claims[jwt.ExpirationKey] = time.Now().UTC().Add(-1 * time.Hour)
  1298. token, _, err := tokenAuth.Encode(claims)
  1299. assert.NoError(t, err)
  1300. server := httpdServer{
  1301. binding: Binding{
  1302. Address: "",
  1303. Port: 8080,
  1304. EnableWebAdmin: true,
  1305. EnableWebClient: true,
  1306. EnableRESTAPI: true,
  1307. RenderOpenAPI: true,
  1308. },
  1309. }
  1310. server.initializeRouter()
  1311. r := server.router
  1312. fn := jwtAuthenticatorAPI(r)
  1313. rr := httptest.NewRecorder()
  1314. req, _ := http.NewRequest(http.MethodGet, userPath, nil)
  1315. ctx := jwtauth.NewContext(req.Context(), token, nil)
  1316. fn.ServeHTTP(rr, req.WithContext(ctx))
  1317. assert.Equal(t, http.StatusUnauthorized, rr.Code)
  1318. fn = jwtAuthenticatorWebAdmin(r)
  1319. rr = httptest.NewRecorder()
  1320. req, _ = http.NewRequest(http.MethodGet, webUserPath, nil)
  1321. ctx = jwtauth.NewContext(req.Context(), token, nil)
  1322. fn.ServeHTTP(rr, req.WithContext(ctx))
  1323. assert.Equal(t, http.StatusFound, rr.Code)
  1324. assert.Equal(t, webAdminLoginPath, rr.Header().Get("Location"))
  1325. fn = jwtAuthenticatorWebClient(r)
  1326. rr = httptest.NewRecorder()
  1327. req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
  1328. ctx = jwtauth.NewContext(req.Context(), token, nil)
  1329. fn.ServeHTTP(rr, req.WithContext(ctx))
  1330. assert.Equal(t, http.StatusFound, rr.Code)
  1331. assert.Equal(t, webClientLoginPath, rr.Header().Get("Location"))
  1332. errTest := errors.New("test error")
  1333. permFn := server.checkPerm(dataprovider.PermAdminAny)
  1334. fn = permFn(r)
  1335. rr = httptest.NewRecorder()
  1336. req, _ = http.NewRequest(http.MethodGet, userPath, nil)
  1337. ctx = jwtauth.NewContext(req.Context(), token, errTest)
  1338. fn.ServeHTTP(rr, req.WithContext(ctx))
  1339. assert.Equal(t, http.StatusBadRequest, rr.Code)
  1340. permFn = server.checkPerm(dataprovider.PermAdminAny)
  1341. fn = permFn(r)
  1342. rr = httptest.NewRecorder()
  1343. req, _ = http.NewRequest(http.MethodGet, webUserPath, nil)
  1344. req.RequestURI = webUserPath
  1345. ctx = jwtauth.NewContext(req.Context(), token, errTest)
  1346. fn.ServeHTTP(rr, req.WithContext(ctx))
  1347. assert.Equal(t, http.StatusBadRequest, rr.Code)
  1348. permClientFn := server.checkHTTPUserPerm(sdk.WebClientPubKeyChangeDisabled)
  1349. fn = permClientFn(r)
  1350. rr = httptest.NewRecorder()
  1351. req, _ = http.NewRequest(http.MethodPost, webClientProfilePath, nil)
  1352. req.RequestURI = webClientProfilePath
  1353. ctx = jwtauth.NewContext(req.Context(), token, errTest)
  1354. fn.ServeHTTP(rr, req.WithContext(ctx))
  1355. assert.Equal(t, http.StatusBadRequest, rr.Code)
  1356. rr = httptest.NewRecorder()
  1357. req, _ = http.NewRequest(http.MethodPost, userProfilePath, nil)
  1358. req.RequestURI = userProfilePath
  1359. ctx = jwtauth.NewContext(req.Context(), token, errTest)
  1360. fn.ServeHTTP(rr, req.WithContext(ctx))
  1361. assert.Equal(t, http.StatusBadRequest, rr.Code)
  1362. fn = server.checkAuthRequirements(r)
  1363. rr = httptest.NewRecorder()
  1364. req, _ = http.NewRequest(http.MethodPost, webClientProfilePath, nil)
  1365. req.RequestURI = webClientProfilePath
  1366. ctx = jwtauth.NewContext(req.Context(), token, errTest)
  1367. fn.ServeHTTP(rr, req.WithContext(ctx))
  1368. assert.Equal(t, http.StatusBadRequest, rr.Code)
  1369. rr = httptest.NewRecorder()
  1370. req, _ = http.NewRequest(http.MethodPost, userSharesPath, nil)
  1371. req.RequestURI = userSharesPath
  1372. ctx = jwtauth.NewContext(req.Context(), token, errTest)
  1373. fn.ServeHTTP(rr, req.WithContext(ctx))
  1374. assert.Equal(t, http.StatusBadRequest, rr.Code)
  1375. }
  1376. func TestUpdateContextFromCookie(t *testing.T) {
  1377. server := httpdServer{
  1378. tokenAuth: jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil),
  1379. }
  1380. req, _ := http.NewRequest(http.MethodGet, tokenPath, nil)
  1381. claims := make(map[string]any)
  1382. claims["a"] = "b"
  1383. token, _, err := server.tokenAuth.Encode(claims)
  1384. assert.NoError(t, err)
  1385. ctx := jwtauth.NewContext(req.Context(), token, nil)
  1386. server.updateContextFromCookie(req.WithContext(ctx))
  1387. }
  1388. func TestCookieExpiration(t *testing.T) {
  1389. server := httpdServer{
  1390. tokenAuth: jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil),
  1391. }
  1392. err := errors.New("test error")
  1393. rr := httptest.NewRecorder()
  1394. req, _ := http.NewRequest(http.MethodGet, tokenPath, nil)
  1395. ctx := jwtauth.NewContext(req.Context(), nil, err)
  1396. server.checkCookieExpiration(rr, req.WithContext(ctx))
  1397. cookie := rr.Header().Get("Set-Cookie")
  1398. assert.Empty(t, cookie)
  1399. req, _ = http.NewRequest(http.MethodGet, tokenPath, nil)
  1400. claims := make(map[string]any)
  1401. claims["a"] = "b"
  1402. token, _, err := server.tokenAuth.Encode(claims)
  1403. assert.NoError(t, err)
  1404. ctx = jwtauth.NewContext(req.Context(), token, nil)
  1405. server.checkCookieExpiration(rr, req.WithContext(ctx))
  1406. cookie = rr.Header().Get("Set-Cookie")
  1407. assert.Empty(t, cookie)
  1408. admin := dataprovider.Admin{
  1409. Username: "newtestadmin",
  1410. Password: "password",
  1411. Permissions: []string{dataprovider.PermAdminAny},
  1412. }
  1413. claims = make(map[string]any)
  1414. claims[claimUsernameKey] = admin.Username
  1415. claims[claimPermissionsKey] = admin.Permissions
  1416. claims[jwt.SubjectKey] = admin.GetSignature()
  1417. claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute)
  1418. claims[jwt.AudienceKey] = []string{tokenAudienceAPI}
  1419. token, _, err = server.tokenAuth.Encode(claims)
  1420. assert.NoError(t, err)
  1421. req, _ = http.NewRequest(http.MethodGet, tokenPath, nil)
  1422. ctx = jwtauth.NewContext(req.Context(), token, nil)
  1423. server.checkCookieExpiration(rr, req.WithContext(ctx))
  1424. cookie = rr.Header().Get("Set-Cookie")
  1425. assert.Empty(t, cookie)
  1426. admin.Status = 0
  1427. err = dataprovider.AddAdmin(&admin, "", "", "")
  1428. assert.NoError(t, err)
  1429. req, _ = http.NewRequest(http.MethodGet, tokenPath, nil)
  1430. ctx = jwtauth.NewContext(req.Context(), token, nil)
  1431. server.checkCookieExpiration(rr, req.WithContext(ctx))
  1432. cookie = rr.Header().Get("Set-Cookie")
  1433. assert.Empty(t, cookie)
  1434. admin.Status = 1
  1435. admin.Filters.AllowList = []string{"172.16.1.0/24"}
  1436. err = dataprovider.UpdateAdmin(&admin, "", "", "")
  1437. assert.NoError(t, err)
  1438. req, _ = http.NewRequest(http.MethodGet, tokenPath, nil)
  1439. ctx = jwtauth.NewContext(req.Context(), token, nil)
  1440. server.checkCookieExpiration(rr, req.WithContext(ctx))
  1441. cookie = rr.Header().Get("Set-Cookie")
  1442. assert.Empty(t, cookie)
  1443. admin, err = dataprovider.AdminExists(admin.Username)
  1444. assert.NoError(t, err)
  1445. claims = make(map[string]any)
  1446. claims[claimUsernameKey] = admin.Username
  1447. claims[claimPermissionsKey] = admin.Permissions
  1448. claims[jwt.SubjectKey] = admin.GetSignature()
  1449. claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute)
  1450. claims[jwt.AudienceKey] = []string{tokenAudienceAPI}
  1451. token, _, err = server.tokenAuth.Encode(claims)
  1452. assert.NoError(t, err)
  1453. req, _ = http.NewRequest(http.MethodGet, tokenPath, nil)
  1454. req.RemoteAddr = "192.168.8.1:1234"
  1455. ctx = jwtauth.NewContext(req.Context(), token, nil)
  1456. server.checkCookieExpiration(rr, req.WithContext(ctx))
  1457. cookie = rr.Header().Get("Set-Cookie")
  1458. assert.Empty(t, cookie)
  1459. req, _ = http.NewRequest(http.MethodGet, tokenPath, nil)
  1460. req.RemoteAddr = "172.16.1.12:4567"
  1461. ctx = jwtauth.NewContext(req.Context(), token, nil)
  1462. server.checkCookieExpiration(rr, req.WithContext(ctx))
  1463. cookie = rr.Header().Get("Set-Cookie")
  1464. assert.True(t, strings.HasPrefix(cookie, "jwt="))
  1465. err = dataprovider.DeleteAdmin(admin.Username, "", "", "")
  1466. assert.NoError(t, err)
  1467. // now check client cookie expiration
  1468. username := "client"
  1469. user := dataprovider.User{
  1470. BaseUser: sdk.BaseUser{
  1471. Username: username,
  1472. Password: "clientpwd",
  1473. HomeDir: filepath.Join(os.TempDir(), username),
  1474. Status: 1,
  1475. Description: "test user",
  1476. },
  1477. }
  1478. user.Permissions = make(map[string][]string)
  1479. user.Permissions["/"] = []string{"*"}
  1480. claims = make(map[string]any)
  1481. claims[claimUsernameKey] = user.Username
  1482. claims[claimPermissionsKey] = user.Filters.WebClient
  1483. claims[jwt.SubjectKey] = user.GetSignature()
  1484. claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute)
  1485. claims[jwt.AudienceKey] = []string{tokenAudienceWebClient}
  1486. token, _, err = server.tokenAuth.Encode(claims)
  1487. assert.NoError(t, err)
  1488. rr = httptest.NewRecorder()
  1489. req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
  1490. ctx = jwtauth.NewContext(req.Context(), token, nil)
  1491. server.checkCookieExpiration(rr, req.WithContext(ctx))
  1492. cookie = rr.Header().Get("Set-Cookie")
  1493. assert.Empty(t, cookie)
  1494. // the password will be hashed and so the signature will change
  1495. err = dataprovider.AddUser(&user, "", "", "")
  1496. assert.NoError(t, err)
  1497. req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
  1498. ctx = jwtauth.NewContext(req.Context(), token, nil)
  1499. server.checkCookieExpiration(rr, req.WithContext(ctx))
  1500. cookie = rr.Header().Get("Set-Cookie")
  1501. assert.Empty(t, cookie)
  1502. user, err = dataprovider.UserExists(user.Username, "")
  1503. assert.NoError(t, err)
  1504. user.Filters.AllowedIP = []string{"172.16.4.0/24"}
  1505. err = dataprovider.UpdateUser(&user, "", "", "")
  1506. assert.NoError(t, err)
  1507. user, err = dataprovider.UserExists(user.Username, "")
  1508. assert.NoError(t, err)
  1509. claims = make(map[string]any)
  1510. claims[claimUsernameKey] = user.Username
  1511. claims[claimPermissionsKey] = user.Filters.WebClient
  1512. claims[jwt.SubjectKey] = user.GetSignature()
  1513. claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute)
  1514. claims[jwt.AudienceKey] = []string{tokenAudienceWebClient}
  1515. token, _, err = server.tokenAuth.Encode(claims)
  1516. assert.NoError(t, err)
  1517. req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
  1518. req.RemoteAddr = "172.16.3.12:4567"
  1519. ctx = jwtauth.NewContext(req.Context(), token, nil)
  1520. server.checkCookieExpiration(rr, req.WithContext(ctx))
  1521. cookie = rr.Header().Get("Set-Cookie")
  1522. assert.Empty(t, cookie)
  1523. req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
  1524. req.RemoteAddr = "172.16.4.16:4567"
  1525. ctx = jwtauth.NewContext(req.Context(), token, nil)
  1526. server.checkCookieExpiration(rr, req.WithContext(ctx))
  1527. cookie = rr.Header().Get("Set-Cookie")
  1528. assert.NotEmpty(t, cookie)
  1529. err = dataprovider.DeleteUser(user.Username, "", "", "")
  1530. assert.NoError(t, err)
  1531. }
  1532. func TestGetURLParam(t *testing.T) {
  1533. req, _ := http.NewRequest(http.MethodGet, adminPwdPath, nil)
  1534. rctx := chi.NewRouteContext()
  1535. rctx.URLParams.Add("val", "testuser%C3%A0")
  1536. rctx.URLParams.Add("inval", "testuser%C3%AO%GG")
  1537. req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
  1538. escaped := getURLParam(req, "val")
  1539. assert.Equal(t, "testuserà", escaped)
  1540. escaped = getURLParam(req, "inval")
  1541. assert.Equal(t, "testuser%C3%AO%GG", escaped)
  1542. }
  1543. func TestChangePwdValidationErrors(t *testing.T) {
  1544. err := doChangeAdminPassword(nil, "", "", "")
  1545. require.Error(t, err)
  1546. err = doChangeAdminPassword(nil, "a", "b", "c")
  1547. require.Error(t, err)
  1548. err = doChangeAdminPassword(nil, "a", "a", "a")
  1549. require.Error(t, err)
  1550. req, _ := http.NewRequest(http.MethodPut, adminPwdPath, nil)
  1551. err = doChangeAdminPassword(req, "currentpwd", "newpwd", "newpwd")
  1552. assert.Error(t, err)
  1553. }
  1554. func TestRenderUnexistingFolder(t *testing.T) {
  1555. rr := httptest.NewRecorder()
  1556. req, _ := http.NewRequest(http.MethodPost, folderPath, nil)
  1557. renderFolder(rr, req, "path not mapped", &jwtTokenClaims{}, http.StatusOK)
  1558. assert.Equal(t, http.StatusNotFound, rr.Code)
  1559. }
  1560. func TestCloseConnectionHandler(t *testing.T) {
  1561. tokenAuth := jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil)
  1562. claims := make(map[string]any)
  1563. claims["username"] = defaultAdminUsername
  1564. claims[jwt.ExpirationKey] = time.Now().UTC().Add(1 * time.Hour)
  1565. token, _, err := tokenAuth.Encode(claims)
  1566. assert.NoError(t, err)
  1567. req, err := http.NewRequest(http.MethodDelete, activeConnectionsPath+"/connectionID", nil)
  1568. assert.NoError(t, err)
  1569. rctx := chi.NewRouteContext()
  1570. rctx.URLParams.Add("connectionID", "")
  1571. req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
  1572. req = req.WithContext(context.WithValue(req.Context(), jwtauth.TokenCtxKey, token))
  1573. rr := httptest.NewRecorder()
  1574. handleCloseConnection(rr, req)
  1575. assert.Equal(t, http.StatusBadRequest, rr.Code)
  1576. assert.Contains(t, rr.Body.String(), "connectionID is mandatory")
  1577. }
  1578. func TestRenderInvalidTemplate(t *testing.T) {
  1579. tmpl, err := template.New("test").Parse("{{.Count}}")
  1580. if assert.NoError(t, err) {
  1581. noMatchTmpl := "no_match"
  1582. adminTemplates[noMatchTmpl] = tmpl
  1583. rw := httptest.NewRecorder()
  1584. renderAdminTemplate(rw, noMatchTmpl, map[string]string{})
  1585. assert.Equal(t, http.StatusInternalServerError, rw.Code)
  1586. clientTemplates[noMatchTmpl] = tmpl
  1587. renderClientTemplate(rw, noMatchTmpl, map[string]string{})
  1588. assert.Equal(t, http.StatusInternalServerError, rw.Code)
  1589. }
  1590. }
  1591. func TestQuotaScanInvalidFs(t *testing.T) {
  1592. user := dataprovider.User{
  1593. BaseUser: sdk.BaseUser{
  1594. Username: "test",
  1595. HomeDir: os.TempDir(),
  1596. },
  1597. FsConfig: vfs.Filesystem{
  1598. Provider: sdk.S3FilesystemProvider,
  1599. },
  1600. }
  1601. common.QuotaScans.AddUserQuotaScan(user.Username, "")
  1602. err := doUserQuotaScan(user)
  1603. assert.Error(t, err)
  1604. }
  1605. func TestVerifyTLSConnection(t *testing.T) {
  1606. oldCertMgr := certMgr
  1607. caCrlPath := filepath.Join(os.TempDir(), "testcrl.crt")
  1608. certPath := filepath.Join(os.TempDir(), "testh.crt")
  1609. keyPath := filepath.Join(os.TempDir(), "testh.key")
  1610. err := os.WriteFile(caCrlPath, []byte(caCRL), os.ModePerm)
  1611. assert.NoError(t, err)
  1612. err = os.WriteFile(certPath, []byte(httpdCert), os.ModePerm)
  1613. assert.NoError(t, err)
  1614. err = os.WriteFile(keyPath, []byte(httpdKey), os.ModePerm)
  1615. assert.NoError(t, err)
  1616. keyPairs := []common.TLSKeyPair{
  1617. {
  1618. Cert: certPath,
  1619. Key: keyPath,
  1620. ID: common.DefaultTLSKeyPaidID,
  1621. },
  1622. }
  1623. certMgr, err = common.NewCertManager(keyPairs, "", "httpd_test")
  1624. assert.NoError(t, err)
  1625. certMgr.SetCARevocationLists([]string{caCrlPath})
  1626. err = certMgr.LoadCRLs()
  1627. assert.NoError(t, err)
  1628. crt, err := tls.X509KeyPair([]byte(client1Crt), []byte(client1Key))
  1629. assert.NoError(t, err)
  1630. x509crt, err := x509.ParseCertificate(crt.Certificate[0])
  1631. assert.NoError(t, err)
  1632. server := httpdServer{}
  1633. state := tls.ConnectionState{
  1634. PeerCertificates: []*x509.Certificate{x509crt},
  1635. }
  1636. err = server.verifyTLSConnection(state)
  1637. assert.Error(t, err) // no verified certification chain
  1638. crt, err = tls.X509KeyPair([]byte(caCRT), []byte(caKey))
  1639. assert.NoError(t, err)
  1640. x509CAcrt, err := x509.ParseCertificate(crt.Certificate[0])
  1641. assert.NoError(t, err)
  1642. state.VerifiedChains = append(state.VerifiedChains, []*x509.Certificate{x509crt, x509CAcrt})
  1643. err = server.verifyTLSConnection(state)
  1644. assert.NoError(t, err)
  1645. crt, err = tls.X509KeyPair([]byte(client2Crt), []byte(client2Key))
  1646. assert.NoError(t, err)
  1647. x509crtRevoked, err := x509.ParseCertificate(crt.Certificate[0])
  1648. assert.NoError(t, err)
  1649. state.VerifiedChains = append(state.VerifiedChains, []*x509.Certificate{x509crtRevoked, x509CAcrt})
  1650. state.PeerCertificates = []*x509.Certificate{x509crtRevoked}
  1651. err = server.verifyTLSConnection(state)
  1652. assert.EqualError(t, err, common.ErrCrtRevoked.Error())
  1653. err = os.Remove(caCrlPath)
  1654. assert.NoError(t, err)
  1655. err = os.Remove(certPath)
  1656. assert.NoError(t, err)
  1657. err = os.Remove(keyPath)
  1658. assert.NoError(t, err)
  1659. certMgr = oldCertMgr
  1660. }
  1661. func TestGetFolderFromTemplate(t *testing.T) {
  1662. folder := vfs.BaseVirtualFolder{
  1663. MappedPath: "Folder%name%",
  1664. Description: "Folder %name% desc",
  1665. }
  1666. folderName := "folderTemplate"
  1667. folderTemplate := getFolderFromTemplate(folder, folderName)
  1668. require.Equal(t, folderName, folderTemplate.Name)
  1669. require.Equal(t, fmt.Sprintf("Folder%v", folderName), folderTemplate.MappedPath)
  1670. require.Equal(t, fmt.Sprintf("Folder %v desc", folderName), folderTemplate.Description)
  1671. folder.FsConfig.Provider = sdk.CryptedFilesystemProvider
  1672. folder.FsConfig.CryptConfig.Passphrase = kms.NewPlainSecret("%name%")
  1673. folderTemplate = getFolderFromTemplate(folder, folderName)
  1674. require.Equal(t, folderName, folderTemplate.FsConfig.CryptConfig.Passphrase.GetPayload())
  1675. folder.FsConfig.Provider = sdk.GCSFilesystemProvider
  1676. folder.FsConfig.GCSConfig.KeyPrefix = "prefix%name%/"
  1677. folderTemplate = getFolderFromTemplate(folder, folderName)
  1678. require.Equal(t, fmt.Sprintf("prefix%v/", folderName), folderTemplate.FsConfig.GCSConfig.KeyPrefix)
  1679. folder.FsConfig.Provider = sdk.AzureBlobFilesystemProvider
  1680. folder.FsConfig.AzBlobConfig.KeyPrefix = "a%name%"
  1681. folder.FsConfig.AzBlobConfig.AccountKey = kms.NewPlainSecret("pwd%name%")
  1682. folderTemplate = getFolderFromTemplate(folder, folderName)
  1683. require.Equal(t, "a"+folderName, folderTemplate.FsConfig.AzBlobConfig.KeyPrefix)
  1684. require.Equal(t, "pwd"+folderName, folderTemplate.FsConfig.AzBlobConfig.AccountKey.GetPayload())
  1685. folder.FsConfig.Provider = sdk.SFTPFilesystemProvider
  1686. folder.FsConfig.SFTPConfig.Prefix = "%name%"
  1687. folder.FsConfig.SFTPConfig.Username = "sftp_%name%"
  1688. folder.FsConfig.SFTPConfig.Password = kms.NewPlainSecret("sftp%name%")
  1689. folderTemplate = getFolderFromTemplate(folder, folderName)
  1690. require.Equal(t, folderName, folderTemplate.FsConfig.SFTPConfig.Prefix)
  1691. require.Equal(t, "sftp_"+folderName, folderTemplate.FsConfig.SFTPConfig.Username)
  1692. require.Equal(t, "sftp"+folderName, folderTemplate.FsConfig.SFTPConfig.Password.GetPayload())
  1693. }
  1694. func TestGetUserFromTemplate(t *testing.T) {
  1695. user := dataprovider.User{
  1696. BaseUser: sdk.BaseUser{
  1697. Status: 1,
  1698. },
  1699. }
  1700. user.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{
  1701. BaseVirtualFolder: vfs.BaseVirtualFolder{
  1702. Name: "Folder%username%",
  1703. },
  1704. })
  1705. username := "userTemplate"
  1706. password := "pwdTemplate"
  1707. templateFields := userTemplateFields{
  1708. Username: username,
  1709. Password: password,
  1710. }
  1711. userTemplate := getUserFromTemplate(user, templateFields)
  1712. require.Len(t, userTemplate.VirtualFolders, 1)
  1713. require.Equal(t, "Folder"+username, userTemplate.VirtualFolders[0].Name)
  1714. user.FsConfig.Provider = sdk.CryptedFilesystemProvider
  1715. user.FsConfig.CryptConfig.Passphrase = kms.NewPlainSecret("%password%")
  1716. userTemplate = getUserFromTemplate(user, templateFields)
  1717. require.Equal(t, password, userTemplate.FsConfig.CryptConfig.Passphrase.GetPayload())
  1718. user.FsConfig.Provider = sdk.GCSFilesystemProvider
  1719. user.FsConfig.GCSConfig.KeyPrefix = "%username%%password%"
  1720. userTemplate = getUserFromTemplate(user, templateFields)
  1721. require.Equal(t, username+password, userTemplate.FsConfig.GCSConfig.KeyPrefix)
  1722. user.FsConfig.Provider = sdk.AzureBlobFilesystemProvider
  1723. user.FsConfig.AzBlobConfig.KeyPrefix = "a%username%"
  1724. user.FsConfig.AzBlobConfig.AccountKey = kms.NewPlainSecret("pwd%password%%username%")
  1725. userTemplate = getUserFromTemplate(user, templateFields)
  1726. require.Equal(t, "a"+username, userTemplate.FsConfig.AzBlobConfig.KeyPrefix)
  1727. require.Equal(t, "pwd"+password+username, userTemplate.FsConfig.AzBlobConfig.AccountKey.GetPayload())
  1728. user.FsConfig.Provider = sdk.SFTPFilesystemProvider
  1729. user.FsConfig.SFTPConfig.Prefix = "%username%"
  1730. user.FsConfig.SFTPConfig.Username = "sftp_%username%"
  1731. user.FsConfig.SFTPConfig.Password = kms.NewPlainSecret("sftp%password%")
  1732. userTemplate = getUserFromTemplate(user, templateFields)
  1733. require.Equal(t, username, userTemplate.FsConfig.SFTPConfig.Prefix)
  1734. require.Equal(t, "sftp_"+username, userTemplate.FsConfig.SFTPConfig.Username)
  1735. require.Equal(t, "sftp"+password, userTemplate.FsConfig.SFTPConfig.Password.GetPayload())
  1736. }
  1737. func TestJWTTokenCleanup(t *testing.T) {
  1738. server := httpdServer{
  1739. tokenAuth: jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil),
  1740. }
  1741. admin := dataprovider.Admin{
  1742. Username: "newtestadmin",
  1743. Password: "password",
  1744. Permissions: []string{dataprovider.PermAdminAny},
  1745. }
  1746. claims := make(map[string]any)
  1747. claims[claimUsernameKey] = admin.Username
  1748. claims[claimPermissionsKey] = admin.Permissions
  1749. claims[jwt.SubjectKey] = admin.GetSignature()
  1750. claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute)
  1751. _, token, err := server.tokenAuth.Encode(claims)
  1752. assert.NoError(t, err)
  1753. req, _ := http.NewRequest(http.MethodGet, versionPath, nil)
  1754. assert.True(t, isTokenInvalidated(req))
  1755. req.Header.Set("Authorization", fmt.Sprintf("Bearer %v", token))
  1756. invalidatedJWTTokens.Add(token, time.Now().Add(-tokenDuration).UTC())
  1757. require.True(t, isTokenInvalidated(req))
  1758. startCleanupTicker(100 * time.Millisecond)
  1759. assert.Eventually(t, func() bool { return !isTokenInvalidated(req) }, 1*time.Second, 200*time.Millisecond)
  1760. stopCleanupTicker()
  1761. }
  1762. func TestDbTokenManager(t *testing.T) {
  1763. if !isSharedProviderSupported() {
  1764. t.Skip("this test it is not available with this provider")
  1765. }
  1766. mgr := newTokenManager(1)
  1767. dbTokenManager := mgr.(*dbTokenManager)
  1768. testToken := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsiV2ViQWRtaW4iLCI6OjEiXSwiZXhwIjoxNjk4NjYwMDM4LCJqdGkiOiJja3ZuazVrYjF1aHUzZXRmZmhyZyIsIm5iZiI6MTY5ODY1ODgwOCwicGVybWlzc2lvbnMiOlsiKiJdLCJzdWIiOiIxNjk3ODIwNDM3NTMyIiwidXNlcm5hbWUiOiJhZG1pbiJ9.LXuFFksvnSuzHqHat6r70yR0jEulNRju7m7SaWrOfy8; csrftoken=mP0C7DqjwpAXsptO2gGCaYBkYw3oNMWB"
  1769. key := dbTokenManager.getKey(testToken)
  1770. require.Len(t, key, 64)
  1771. dbTokenManager.Add(testToken, time.Now().Add(-tokenDuration).UTC())
  1772. isInvalidated := dbTokenManager.Get(testToken)
  1773. assert.True(t, isInvalidated)
  1774. dbTokenManager.Cleanup()
  1775. isInvalidated = dbTokenManager.Get(testToken)
  1776. assert.False(t, isInvalidated)
  1777. dbTokenManager.Add(testToken, time.Now().Add(tokenDuration).UTC())
  1778. isInvalidated = dbTokenManager.Get(testToken)
  1779. assert.True(t, isInvalidated)
  1780. dbTokenManager.Cleanup()
  1781. isInvalidated = dbTokenManager.Get(testToken)
  1782. assert.True(t, isInvalidated)
  1783. err := dataprovider.DeleteSharedSession(key)
  1784. assert.NoError(t, err)
  1785. }
  1786. func TestAllowedProxyUnixDomainSocket(t *testing.T) {
  1787. b := Binding{
  1788. Address: filepath.Join(os.TempDir(), "sock"),
  1789. ProxyAllowed: []string{"127.0.0.1", "127.0.1.1"},
  1790. }
  1791. err := b.parseAllowedProxy()
  1792. assert.NoError(t, err)
  1793. if assert.Len(t, b.allowHeadersFrom, 1) {
  1794. assert.True(t, b.allowHeadersFrom[0](nil))
  1795. }
  1796. }
  1797. func TestProxyHeaders(t *testing.T) {
  1798. username := "adminTest"
  1799. password := "testPwd"
  1800. admin := dataprovider.Admin{
  1801. Username: username,
  1802. Password: password,
  1803. Permissions: []string{dataprovider.PermAdminAny},
  1804. Status: 1,
  1805. Filters: dataprovider.AdminFilters{
  1806. AllowList: []string{"172.19.2.0/24"},
  1807. },
  1808. }
  1809. err := dataprovider.AddAdmin(&admin, "", "", "")
  1810. assert.NoError(t, err)
  1811. testIP := "10.29.1.9"
  1812. validForwardedFor := "172.19.2.6"
  1813. b := Binding{
  1814. Address: "",
  1815. Port: 8080,
  1816. EnableWebAdmin: true,
  1817. EnableWebClient: false,
  1818. EnableRESTAPI: true,
  1819. ProxyAllowed: []string{testIP, "10.8.0.0/30"},
  1820. ClientIPProxyHeader: "x-forwarded-for",
  1821. }
  1822. err = b.parseAllowedProxy()
  1823. assert.NoError(t, err)
  1824. server := newHttpdServer(b, "", "", CorsConfig{Enabled: true}, "")
  1825. server.initializeRouter()
  1826. testServer := httptest.NewServer(server.router)
  1827. defer testServer.Close()
  1828. req, err := http.NewRequest(http.MethodGet, tokenPath, nil)
  1829. assert.NoError(t, err)
  1830. req.Header.Set("X-Forwarded-For", validForwardedFor)
  1831. req.Header.Set(xForwardedProto, "https")
  1832. req.RemoteAddr = "127.0.0.1:123"
  1833. req.SetBasicAuth(username, password)
  1834. rr := httptest.NewRecorder()
  1835. testServer.Config.Handler.ServeHTTP(rr, req)
  1836. assert.Equal(t, http.StatusUnauthorized, rr.Code)
  1837. assert.Contains(t, rr.Body.String(), "login from IP 127.0.0.1 not allowed")
  1838. req.RemoteAddr = testIP
  1839. rr = httptest.NewRecorder()
  1840. testServer.Config.Handler.ServeHTTP(rr, req)
  1841. assert.Equal(t, http.StatusOK, rr.Code)
  1842. req.RemoteAddr = "10.8.0.2"
  1843. rr = httptest.NewRecorder()
  1844. testServer.Config.Handler.ServeHTTP(rr, req)
  1845. assert.Equal(t, http.StatusOK, rr.Code)
  1846. form := make(url.Values)
  1847. form.Set("username", username)
  1848. form.Set("password", password)
  1849. form.Set(csrfFormToken, createCSRFToken(testIP))
  1850. req, err = http.NewRequest(http.MethodPost, webAdminLoginPath, bytes.NewBuffer([]byte(form.Encode())))
  1851. assert.NoError(t, err)
  1852. req.RemoteAddr = testIP
  1853. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1854. rr = httptest.NewRecorder()
  1855. testServer.Config.Handler.ServeHTTP(rr, req)
  1856. assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
  1857. assert.Contains(t, rr.Body.String(), "login from IP 10.29.1.9 not allowed")
  1858. form.Set(csrfFormToken, createCSRFToken(validForwardedFor))
  1859. req, err = http.NewRequest(http.MethodPost, webAdminLoginPath, bytes.NewBuffer([]byte(form.Encode())))
  1860. assert.NoError(t, err)
  1861. req.RemoteAddr = testIP
  1862. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1863. req.Header.Set("X-Forwarded-For", validForwardedFor)
  1864. rr = httptest.NewRecorder()
  1865. testServer.Config.Handler.ServeHTTP(rr, req)
  1866. assert.Equal(t, http.StatusFound, rr.Code, rr.Body.String())
  1867. cookie := rr.Header().Get("Set-Cookie")
  1868. assert.NotContains(t, cookie, "Secure")
  1869. req, err = http.NewRequest(http.MethodPost, webAdminLoginPath, bytes.NewBuffer([]byte(form.Encode())))
  1870. assert.NoError(t, err)
  1871. req.RemoteAddr = testIP
  1872. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1873. req.Header.Set("X-Forwarded-For", validForwardedFor)
  1874. req.Header.Set(xForwardedProto, "https")
  1875. rr = httptest.NewRecorder()
  1876. testServer.Config.Handler.ServeHTTP(rr, req)
  1877. assert.Equal(t, http.StatusFound, rr.Code, rr.Body.String())
  1878. cookie = rr.Header().Get("Set-Cookie")
  1879. assert.Contains(t, cookie, "Secure")
  1880. req, err = http.NewRequest(http.MethodPost, webAdminLoginPath, bytes.NewBuffer([]byte(form.Encode())))
  1881. assert.NoError(t, err)
  1882. req.RemoteAddr = testIP
  1883. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  1884. req.Header.Set("X-Forwarded-For", validForwardedFor)
  1885. req.Header.Set(xForwardedProto, "http")
  1886. rr = httptest.NewRecorder()
  1887. testServer.Config.Handler.ServeHTTP(rr, req)
  1888. assert.Equal(t, http.StatusFound, rr.Code, rr.Body.String())
  1889. cookie = rr.Header().Get("Set-Cookie")
  1890. assert.NotContains(t, cookie, "Secure")
  1891. err = dataprovider.DeleteAdmin(username, "", "", "")
  1892. assert.NoError(t, err)
  1893. }
  1894. func TestRecoverer(t *testing.T) {
  1895. recoveryPath := "/recovery"
  1896. b := Binding{
  1897. Address: "",
  1898. Port: 8080,
  1899. EnableWebAdmin: true,
  1900. EnableWebClient: false,
  1901. EnableRESTAPI: true,
  1902. }
  1903. server := newHttpdServer(b, "../static", "", CorsConfig{}, "../openapi")
  1904. server.initializeRouter()
  1905. server.router.Get(recoveryPath, func(w http.ResponseWriter, r *http.Request) {
  1906. panic("panic")
  1907. })
  1908. testServer := httptest.NewServer(server.router)
  1909. defer testServer.Close()
  1910. req, err := http.NewRequest(http.MethodGet, recoveryPath, nil)
  1911. assert.NoError(t, err)
  1912. rr := httptest.NewRecorder()
  1913. testServer.Config.Handler.ServeHTTP(rr, req)
  1914. assert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String())
  1915. server.router = chi.NewRouter()
  1916. server.router.Use(middleware.Recoverer)
  1917. server.router.Get(recoveryPath, func(w http.ResponseWriter, r *http.Request) {
  1918. panic("panic")
  1919. })
  1920. testServer = httptest.NewServer(server.router)
  1921. defer testServer.Close()
  1922. req, err = http.NewRequest(http.MethodGet, recoveryPath, nil)
  1923. assert.NoError(t, err)
  1924. rr = httptest.NewRecorder()
  1925. testServer.Config.Handler.ServeHTTP(rr, req)
  1926. assert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String())
  1927. }
  1928. func TestCompressorAbortHandler(t *testing.T) {
  1929. defer func() {
  1930. rcv := recover()
  1931. assert.Equal(t, http.ErrAbortHandler, rcv)
  1932. }()
  1933. connection := &Connection{
  1934. BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", dataprovider.User{}),
  1935. request: nil,
  1936. }
  1937. share := &dataprovider.Share{}
  1938. renderCompressedFiles(&failingWriter{}, connection, "", nil, share)
  1939. }
  1940. func TestZipErrors(t *testing.T) {
  1941. user := dataprovider.User{
  1942. BaseUser: sdk.BaseUser{
  1943. HomeDir: filepath.Clean(os.TempDir()),
  1944. },
  1945. }
  1946. user.Permissions = make(map[string][]string)
  1947. user.Permissions["/"] = []string{dataprovider.PermAny}
  1948. connection := &Connection{
  1949. BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", user),
  1950. request: nil,
  1951. }
  1952. testDir := filepath.Join(os.TempDir(), "testDir")
  1953. err := os.MkdirAll(testDir, os.ModePerm)
  1954. assert.NoError(t, err)
  1955. wr := zip.NewWriter(&failingWriter{})
  1956. err = wr.Close()
  1957. if assert.Error(t, err) {
  1958. assert.Contains(t, err.Error(), "write error")
  1959. }
  1960. err = addZipEntry(wr, connection, "/"+filepath.Base(testDir), "/")
  1961. if assert.Error(t, err) {
  1962. assert.Contains(t, err.Error(), "write error")
  1963. }
  1964. err = addZipEntry(wr, connection, "/"+filepath.Base(testDir), path.Join("/", filepath.Base(testDir), "dir"))
  1965. if assert.Error(t, err) {
  1966. assert.Contains(t, err.Error(), "is outside base dir")
  1967. }
  1968. testFilePath := filepath.Join(testDir, "ziptest.zip")
  1969. err = os.WriteFile(testFilePath, util.GenerateRandomBytes(65535), os.ModePerm)
  1970. assert.NoError(t, err)
  1971. err = addZipEntry(wr, connection, path.Join("/", filepath.Base(testDir), filepath.Base(testFilePath)),
  1972. "/"+filepath.Base(testDir))
  1973. if assert.Error(t, err) {
  1974. assert.Contains(t, err.Error(), "write error")
  1975. }
  1976. connection.User.Permissions["/"] = []string{dataprovider.PermListItems}
  1977. err = addZipEntry(wr, connection, path.Join("/", filepath.Base(testDir), filepath.Base(testFilePath)),
  1978. "/"+filepath.Base(testDir))
  1979. assert.ErrorIs(t, err, os.ErrPermission)
  1980. // creating a virtual folder to a missing path stat is ok but readdir fails
  1981. user.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{
  1982. BaseVirtualFolder: vfs.BaseVirtualFolder{
  1983. MappedPath: filepath.Join(os.TempDir(), "mapped"),
  1984. },
  1985. VirtualPath: "/vpath",
  1986. })
  1987. connection.User = user
  1988. wr = zip.NewWriter(bytes.NewBuffer(make([]byte, 0)))
  1989. err = addZipEntry(wr, connection, user.VirtualFolders[0].VirtualPath, "/")
  1990. assert.Error(t, err)
  1991. user.Filters.FilePatterns = append(user.Filters.FilePatterns, sdk.PatternsFilter{
  1992. Path: "/",
  1993. DeniedPatterns: []string{"*.zip"},
  1994. })
  1995. err = addZipEntry(wr, connection, "/"+filepath.Base(testDir), "/")
  1996. assert.ErrorIs(t, err, os.ErrPermission)
  1997. err = os.RemoveAll(testDir)
  1998. assert.NoError(t, err)
  1999. }
  2000. func TestWebAdminRedirect(t *testing.T) {
  2001. b := Binding{
  2002. Address: "",
  2003. Port: 8080,
  2004. EnableWebAdmin: true,
  2005. EnableWebClient: false,
  2006. EnableRESTAPI: true,
  2007. }
  2008. server := newHttpdServer(b, "../static", "", CorsConfig{}, "../openapi")
  2009. server.initializeRouter()
  2010. testServer := httptest.NewServer(server.router)
  2011. defer testServer.Close()
  2012. req, err := http.NewRequest(http.MethodGet, webRootPath, nil)
  2013. assert.NoError(t, err)
  2014. rr := httptest.NewRecorder()
  2015. testServer.Config.Handler.ServeHTTP(rr, req)
  2016. assert.Equal(t, http.StatusFound, rr.Code, rr.Body.String())
  2017. assert.Equal(t, webAdminLoginPath, rr.Header().Get("Location"))
  2018. req, err = http.NewRequest(http.MethodGet, webBasePath, nil)
  2019. assert.NoError(t, err)
  2020. rr = httptest.NewRecorder()
  2021. testServer.Config.Handler.ServeHTTP(rr, req)
  2022. assert.Equal(t, http.StatusFound, rr.Code, rr.Body.String())
  2023. assert.Equal(t, webAdminLoginPath, rr.Header().Get("Location"))
  2024. }
  2025. func TestParseRangeRequests(t *testing.T) {
  2026. // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=24-24"
  2027. fileSize := int64(169740)
  2028. rangeHeader := "bytes=24-24"
  2029. offset, size, err := parseRangeRequest(rangeHeader[6:], fileSize)
  2030. require.NoError(t, err)
  2031. resp := fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
  2032. assert.Equal(t, "bytes 24-24/169740", resp)
  2033. require.Equal(t, int64(1), size)
  2034. // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=24-"
  2035. rangeHeader = "bytes=24-"
  2036. offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
  2037. require.NoError(t, err)
  2038. resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
  2039. assert.Equal(t, "bytes 24-169739/169740", resp)
  2040. require.Equal(t, int64(169716), size)
  2041. // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=-1"
  2042. rangeHeader = "bytes=-1"
  2043. offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
  2044. require.NoError(t, err)
  2045. resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
  2046. assert.Equal(t, "bytes 169739-169739/169740", resp)
  2047. require.Equal(t, int64(1), size)
  2048. // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=-100"
  2049. rangeHeader = "bytes=-100"
  2050. offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
  2051. require.NoError(t, err)
  2052. resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
  2053. assert.Equal(t, "bytes 169640-169739/169740", resp)
  2054. require.Equal(t, int64(100), size)
  2055. // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=20-30"
  2056. rangeHeader = "bytes=20-30"
  2057. offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
  2058. require.NoError(t, err)
  2059. resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
  2060. assert.Equal(t, "bytes 20-30/169740", resp)
  2061. require.Equal(t, int64(11), size)
  2062. // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=20-169739"
  2063. rangeHeader = "bytes=20-169739"
  2064. offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
  2065. require.NoError(t, err)
  2066. resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
  2067. assert.Equal(t, "bytes 20-169739/169740", resp)
  2068. require.Equal(t, int64(169720), size)
  2069. // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=20-169740"
  2070. rangeHeader = "bytes=20-169740"
  2071. offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
  2072. require.NoError(t, err)
  2073. resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
  2074. assert.Equal(t, "bytes 20-169739/169740", resp)
  2075. require.Equal(t, int64(169720), size)
  2076. // curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=20-169741"
  2077. rangeHeader = "bytes=20-169741"
  2078. offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
  2079. require.NoError(t, err)
  2080. resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
  2081. assert.Equal(t, "bytes 20-169739/169740", resp)
  2082. require.Equal(t, int64(169720), size)
  2083. //curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=0-" > /dev/null
  2084. rangeHeader = "bytes=0-"
  2085. offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
  2086. require.NoError(t, err)
  2087. resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
  2088. assert.Equal(t, "bytes 0-169739/169740", resp)
  2089. require.Equal(t, int64(169740), size)
  2090. // now test errors
  2091. rangeHeader = "bytes=0-a"
  2092. _, _, err = parseRangeRequest(rangeHeader[6:], fileSize)
  2093. require.Error(t, err)
  2094. rangeHeader = "bytes="
  2095. _, _, err = parseRangeRequest(rangeHeader[6:], fileSize)
  2096. require.Error(t, err)
  2097. rangeHeader = "bytes=-"
  2098. _, _, err = parseRangeRequest(rangeHeader[6:], fileSize)
  2099. require.Error(t, err)
  2100. rangeHeader = "bytes=500-300"
  2101. _, _, err = parseRangeRequest(rangeHeader[6:], fileSize)
  2102. require.Error(t, err)
  2103. rangeHeader = "bytes=5000000"
  2104. _, _, err = parseRangeRequest(rangeHeader[6:], fileSize)
  2105. require.Error(t, err)
  2106. }
  2107. func TestRequestHeaderErrors(t *testing.T) {
  2108. req, _ := http.NewRequest(http.MethodGet, webClientFilesPath, nil)
  2109. req.Header.Set("If-Unmodified-Since", "not a date")
  2110. res := checkIfUnmodifiedSince(req, time.Now())
  2111. assert.Equal(t, condNone, res)
  2112. req, _ = http.NewRequest(http.MethodPost, webClientFilesPath, nil)
  2113. res = checkIfModifiedSince(req, time.Now())
  2114. assert.Equal(t, condNone, res)
  2115. req, _ = http.NewRequest(http.MethodPost, webClientFilesPath, nil)
  2116. res = checkIfRange(req, time.Now())
  2117. assert.Equal(t, condNone, res)
  2118. req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
  2119. req.Header.Set("If-Modified-Since", "not a date")
  2120. res = checkIfModifiedSince(req, time.Now())
  2121. assert.Equal(t, condNone, res)
  2122. req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
  2123. req.Header.Set("If-Range", time.Now().Format(http.TimeFormat))
  2124. res = checkIfRange(req, time.Time{})
  2125. assert.Equal(t, condFalse, res)
  2126. req.Header.Set("If-Range", "invalid if range date")
  2127. res = checkIfRange(req, time.Now())
  2128. assert.Equal(t, condFalse, res)
  2129. modTime := getFileObjectModTime(time.Time{})
  2130. assert.Empty(t, modTime)
  2131. }
  2132. func TestConnection(t *testing.T) {
  2133. user := dataprovider.User{
  2134. BaseUser: sdk.BaseUser{
  2135. Username: "test_httpd_user",
  2136. HomeDir: filepath.Clean(os.TempDir()),
  2137. },
  2138. FsConfig: vfs.Filesystem{
  2139. Provider: sdk.GCSFilesystemProvider,
  2140. GCSConfig: vfs.GCSFsConfig{
  2141. BaseGCSFsConfig: sdk.BaseGCSFsConfig{
  2142. Bucket: "test_bucket_name",
  2143. },
  2144. Credentials: kms.NewPlainSecret("invalid JSON payload"),
  2145. },
  2146. },
  2147. }
  2148. user.Permissions = make(map[string][]string)
  2149. user.Permissions["/"] = []string{dataprovider.PermAny}
  2150. connection := &Connection{
  2151. BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", user),
  2152. request: nil,
  2153. }
  2154. assert.Empty(t, connection.GetClientVersion())
  2155. assert.Empty(t, connection.GetRemoteAddress())
  2156. assert.Empty(t, connection.GetCommand())
  2157. name := "missing file name"
  2158. _, err := connection.getFileReader(name, 0, http.MethodGet)
  2159. assert.Error(t, err)
  2160. connection.User.FsConfig.Provider = sdk.LocalFilesystemProvider
  2161. _, err = connection.getFileReader(name, 0, http.MethodGet)
  2162. assert.ErrorIs(t, err, os.ErrNotExist)
  2163. }
  2164. func TestGetFileWriterErrors(t *testing.T) {
  2165. user := dataprovider.User{
  2166. BaseUser: sdk.BaseUser{
  2167. Username: "test_httpd_user",
  2168. HomeDir: "invalid",
  2169. },
  2170. }
  2171. user.Permissions = make(map[string][]string)
  2172. user.Permissions["/"] = []string{dataprovider.PermAny}
  2173. connection := &Connection{
  2174. BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", user),
  2175. request: nil,
  2176. }
  2177. _, err := connection.getFileWriter("name")
  2178. assert.Error(t, err)
  2179. user.FsConfig.Provider = sdk.S3FilesystemProvider
  2180. user.FsConfig.S3Config = vfs.S3FsConfig{
  2181. BaseS3FsConfig: sdk.BaseS3FsConfig{
  2182. Bucket: "b",
  2183. Region: "us-west-1",
  2184. AccessKey: "key",
  2185. },
  2186. AccessSecret: kms.NewPlainSecret("secret"),
  2187. }
  2188. connection = &Connection{
  2189. BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", user),
  2190. request: nil,
  2191. }
  2192. _, err = connection.getFileWriter("/path")
  2193. assert.Error(t, err)
  2194. }
  2195. func TestThrottledHandler(t *testing.T) {
  2196. tr := &throttledReader{
  2197. r: io.NopCloser(bytes.NewBuffer(nil)),
  2198. }
  2199. assert.Equal(t, int64(0), tr.GetTruncatedSize())
  2200. err := tr.Close()
  2201. assert.NoError(t, err)
  2202. assert.Empty(t, tr.GetRealFsPath("real path"))
  2203. assert.False(t, tr.SetTimes("p", time.Now(), time.Now()))
  2204. _, err = tr.Truncate("", 0)
  2205. assert.ErrorIs(t, err, vfs.ErrVfsUnsupported)
  2206. err = tr.GetAbortError()
  2207. assert.ErrorIs(t, err, common.ErrTransferAborted)
  2208. }
  2209. func TestHTTPDFile(t *testing.T) {
  2210. user := dataprovider.User{
  2211. BaseUser: sdk.BaseUser{
  2212. Username: "test_httpd_user",
  2213. HomeDir: filepath.Clean(os.TempDir()),
  2214. },
  2215. }
  2216. user.Permissions = make(map[string][]string)
  2217. user.Permissions["/"] = []string{dataprovider.PermAny}
  2218. connection := &Connection{
  2219. BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", user),
  2220. request: nil,
  2221. }
  2222. fs, err := user.GetFilesystem("")
  2223. assert.NoError(t, err)
  2224. name := "fileName"
  2225. p := filepath.Join(os.TempDir(), name)
  2226. err = os.WriteFile(p, []byte("contents"), os.ModePerm)
  2227. assert.NoError(t, err)
  2228. file, err := os.Open(p)
  2229. assert.NoError(t, err)
  2230. err = file.Close()
  2231. assert.NoError(t, err)
  2232. baseTransfer := common.NewBaseTransfer(file, connection.BaseConnection, nil, p, p, name, common.TransferDownload,
  2233. 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})
  2234. httpdFile := newHTTPDFile(baseTransfer, nil, nil)
  2235. // the file is closed, read should fail
  2236. buf := make([]byte, 100)
  2237. _, err = httpdFile.Read(buf)
  2238. assert.Error(t, err)
  2239. err = httpdFile.Close()
  2240. assert.Error(t, err)
  2241. err = httpdFile.Close()
  2242. assert.ErrorIs(t, err, common.ErrTransferClosed)
  2243. err = os.Remove(p)
  2244. assert.NoError(t, err)
  2245. httpdFile.writer = file
  2246. httpdFile.File = nil
  2247. httpdFile.ErrTransfer = nil
  2248. err = httpdFile.closeIO()
  2249. assert.Error(t, err)
  2250. assert.Error(t, httpdFile.ErrTransfer)
  2251. assert.Equal(t, err, httpdFile.ErrTransfer)
  2252. httpdFile.SignalClose(nil)
  2253. _, err = httpdFile.Write(nil)
  2254. assert.ErrorIs(t, err, common.ErrQuotaExceeded)
  2255. }
  2256. func TestChangeUserPwd(t *testing.T) {
  2257. req, _ := http.NewRequest(http.MethodPost, webChangeClientPwdPath, nil)
  2258. err := doChangeUserPassword(req, "", "", "")
  2259. if assert.Error(t, err) {
  2260. assert.Contains(t, err.Error(), "please provide the current password and the new one two times")
  2261. }
  2262. err = doChangeUserPassword(req, "a", "b", "c")
  2263. if assert.Error(t, err) {
  2264. assert.Contains(t, err.Error(), "the two password fields do not match")
  2265. }
  2266. err = doChangeUserPassword(req, "a", "b", "b")
  2267. if assert.Error(t, err) {
  2268. assert.Contains(t, err.Error(), "invalid token claims")
  2269. }
  2270. }
  2271. func TestWebUserInvalidClaims(t *testing.T) {
  2272. server := httpdServer{}
  2273. server.initializeRouter()
  2274. rr := httptest.NewRecorder()
  2275. user := dataprovider.User{
  2276. BaseUser: sdk.BaseUser{
  2277. Username: "",
  2278. Password: "pwd",
  2279. },
  2280. }
  2281. c := jwtTokenClaims{
  2282. Username: user.Username,
  2283. Permissions: nil,
  2284. Signature: user.GetSignature(),
  2285. }
  2286. token, err := c.createTokenResponse(server.tokenAuth, tokenAudienceWebClient, "")
  2287. assert.NoError(t, err)
  2288. req, _ := http.NewRequest(http.MethodGet, webClientFilesPath, nil)
  2289. req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
  2290. server.handleClientGetFiles(rr, req)
  2291. assert.Equal(t, http.StatusForbidden, rr.Code)
  2292. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  2293. rr = httptest.NewRecorder()
  2294. req, _ = http.NewRequest(http.MethodGet, webClientDirsPath, nil)
  2295. req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
  2296. server.handleClientGetDirContents(rr, req)
  2297. assert.Equal(t, http.StatusForbidden, rr.Code)
  2298. assert.Contains(t, rr.Body.String(), "invalid token claims")
  2299. rr = httptest.NewRecorder()
  2300. req, _ = http.NewRequest(http.MethodGet, webClientDownloadZipPath, nil)
  2301. req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
  2302. server.handleWebClientDownloadZip(rr, req)
  2303. assert.Equal(t, http.StatusForbidden, rr.Code)
  2304. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  2305. rr = httptest.NewRecorder()
  2306. req, _ = http.NewRequest(http.MethodGet, webClientEditFilePath, nil)
  2307. req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
  2308. server.handleClientEditFile(rr, req)
  2309. assert.Equal(t, http.StatusForbidden, rr.Code)
  2310. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  2311. rr = httptest.NewRecorder()
  2312. req, _ = http.NewRequest(http.MethodGet, webClientSharePath, nil)
  2313. req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
  2314. server.handleClientAddShareGet(rr, req)
  2315. assert.Equal(t, http.StatusForbidden, rr.Code)
  2316. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  2317. rr = httptest.NewRecorder()
  2318. req, _ = http.NewRequest(http.MethodGet, webClientSharePath, nil)
  2319. req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
  2320. server.handleClientUpdateShareGet(rr, req)
  2321. assert.Equal(t, http.StatusForbidden, rr.Code)
  2322. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  2323. rr = httptest.NewRecorder()
  2324. req, _ = http.NewRequest(http.MethodPost, webClientSharePath, nil)
  2325. req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
  2326. server.handleClientAddSharePost(rr, req)
  2327. assert.Equal(t, http.StatusForbidden, rr.Code)
  2328. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  2329. rr = httptest.NewRecorder()
  2330. req, _ = http.NewRequest(http.MethodPost, webClientSharePath+"/id", nil)
  2331. req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
  2332. server.handleClientUpdateSharePost(rr, req)
  2333. assert.Equal(t, http.StatusForbidden, rr.Code)
  2334. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  2335. rr = httptest.NewRecorder()
  2336. req, _ = http.NewRequest(http.MethodGet, webClientSharesPath, nil)
  2337. req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
  2338. server.handleClientGetShares(rr, req)
  2339. assert.Equal(t, http.StatusForbidden, rr.Code)
  2340. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  2341. rr = httptest.NewRecorder()
  2342. req, _ = http.NewRequest(http.MethodGet, webClientViewPDFPath, nil)
  2343. req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
  2344. server.handleClientGetPDF(rr, req)
  2345. assert.Equal(t, http.StatusForbidden, rr.Code)
  2346. assert.Contains(t, rr.Body.String(), "Invalid token claims")
  2347. }
  2348. func TestInvalidClaims(t *testing.T) {
  2349. server := httpdServer{}
  2350. server.initializeRouter()
  2351. rr := httptest.NewRecorder()
  2352. user := dataprovider.User{
  2353. BaseUser: sdk.BaseUser{
  2354. Username: "",
  2355. Password: "pwd",
  2356. },
  2357. }
  2358. c := jwtTokenClaims{
  2359. Username: user.Username,
  2360. Permissions: nil,
  2361. Signature: user.GetSignature(),
  2362. }
  2363. token, err := c.createTokenResponse(server.tokenAuth, tokenAudienceWebClient, "")
  2364. assert.NoError(t, err)
  2365. form := make(url.Values)
  2366. form.Set(csrfFormToken, createCSRFToken(""))
  2367. form.Set("public_keys", "")
  2368. req, _ := http.NewRequest(http.MethodPost, webClientProfilePath, bytes.NewBuffer([]byte(form.Encode())))
  2369. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  2370. req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
  2371. server.handleWebClientProfilePost(rr, req)
  2372. assert.Equal(t, http.StatusForbidden, rr.Code)
  2373. admin := dataprovider.Admin{
  2374. Username: "",
  2375. Password: user.Password,
  2376. }
  2377. c = jwtTokenClaims{
  2378. Username: admin.Username,
  2379. Permissions: nil,
  2380. Signature: admin.GetSignature(),
  2381. }
  2382. token, err = c.createTokenResponse(server.tokenAuth, tokenAudienceWebAdmin, "")
  2383. assert.NoError(t, err)
  2384. form = make(url.Values)
  2385. form.Set(csrfFormToken, createCSRFToken(""))
  2386. form.Set("allow_api_key_auth", "")
  2387. req, _ = http.NewRequest(http.MethodPost, webAdminProfilePath, bytes.NewBuffer([]byte(form.Encode())))
  2388. req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  2389. req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
  2390. server.handleWebAdminProfilePost(rr, req)
  2391. assert.Equal(t, http.StatusForbidden, rr.Code)
  2392. }
  2393. func TestTLSReq(t *testing.T) {
  2394. req, err := http.NewRequest(http.MethodGet, webClientLoginPath, nil)
  2395. assert.NoError(t, err)
  2396. req.TLS = &tls.ConnectionState{}
  2397. assert.True(t, isTLS(req))
  2398. req.TLS = nil
  2399. ctx := context.WithValue(req.Context(), forwardedProtoKey, "https")
  2400. assert.True(t, isTLS(req.WithContext(ctx)))
  2401. ctx = context.WithValue(req.Context(), forwardedProtoKey, "http")
  2402. assert.False(t, isTLS(req.WithContext(ctx)))
  2403. assert.Equal(t, "context value forwarded proto", forwardedProtoKey.String())
  2404. }
  2405. func TestSigningKey(t *testing.T) {
  2406. signingPassphrase := "test"
  2407. server1 := httpdServer{
  2408. signingPassphrase: signingPassphrase,
  2409. }
  2410. server1.initializeRouter()
  2411. server2 := httpdServer{
  2412. signingPassphrase: signingPassphrase,
  2413. }
  2414. server2.initializeRouter()
  2415. user := dataprovider.User{
  2416. BaseUser: sdk.BaseUser{
  2417. Username: "",
  2418. Password: "pwd",
  2419. },
  2420. }
  2421. c := jwtTokenClaims{
  2422. Username: user.Username,
  2423. Permissions: nil,
  2424. Signature: user.GetSignature(),
  2425. }
  2426. token, err := c.createTokenResponse(server1.tokenAuth, tokenAudienceWebClient, "")
  2427. assert.NoError(t, err)
  2428. accessToken := token["access_token"].(string)
  2429. assert.NotEmpty(t, accessToken)
  2430. _, err = server1.tokenAuth.Decode(accessToken)
  2431. assert.NoError(t, err)
  2432. _, err = server2.tokenAuth.Decode(accessToken)
  2433. assert.NoError(t, err)
  2434. }
  2435. func TestLoginLinks(t *testing.T) {
  2436. b := Binding{
  2437. EnableWebAdmin: true,
  2438. EnableWebClient: false,
  2439. EnableRESTAPI: true,
  2440. }
  2441. assert.False(t, b.showClientLoginURL())
  2442. b = Binding{
  2443. EnableWebAdmin: false,
  2444. EnableWebClient: true,
  2445. EnableRESTAPI: true,
  2446. }
  2447. assert.False(t, b.showAdminLoginURL())
  2448. b = Binding{
  2449. EnableWebAdmin: true,
  2450. EnableWebClient: true,
  2451. EnableRESTAPI: true,
  2452. }
  2453. assert.True(t, b.showAdminLoginURL())
  2454. assert.True(t, b.showClientLoginURL())
  2455. b.HideLoginURL = 3
  2456. assert.False(t, b.showAdminLoginURL())
  2457. assert.False(t, b.showClientLoginURL())
  2458. b.HideLoginURL = 1
  2459. assert.True(t, b.showAdminLoginURL())
  2460. assert.False(t, b.showClientLoginURL())
  2461. b.HideLoginURL = 2
  2462. assert.False(t, b.showAdminLoginURL())
  2463. assert.True(t, b.showClientLoginURL())
  2464. }
  2465. func TestResetCodesCleanup(t *testing.T) {
  2466. resetCode := newResetCode(util.GenerateUniqueID(), false)
  2467. resetCode.ExpiresAt = time.Now().Add(-1 * time.Minute).UTC()
  2468. err := resetCodesMgr.Add(resetCode)
  2469. assert.NoError(t, err)
  2470. resetCodesMgr.Cleanup()
  2471. _, err = resetCodesMgr.Get(resetCode.Code)
  2472. assert.Error(t, err)
  2473. }
  2474. func TestUserCanResetPassword(t *testing.T) {
  2475. req, err := http.NewRequest(http.MethodGet, webClientLoginPath, nil)
  2476. assert.NoError(t, err)
  2477. req.RemoteAddr = "172.16.9.2:55080"
  2478. u := dataprovider.User{}
  2479. assert.True(t, isUserAllowedToResetPassword(req, &u))
  2480. u.Filters.DeniedProtocols = []string{common.ProtocolHTTP}
  2481. assert.False(t, isUserAllowedToResetPassword(req, &u))
  2482. u.Filters.DeniedProtocols = nil
  2483. u.Filters.WebClient = []string{sdk.WebClientPasswordResetDisabled}
  2484. assert.False(t, isUserAllowedToResetPassword(req, &u))
  2485. u.Filters.WebClient = nil
  2486. u.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodPassword}
  2487. assert.False(t, isUserAllowedToResetPassword(req, &u))
  2488. u.Filters.DeniedLoginMethods = nil
  2489. u.Filters.AllowedIP = []string{"127.0.0.1/8"}
  2490. assert.False(t, isUserAllowedToResetPassword(req, &u))
  2491. }
  2492. func TestMetadataAPI(t *testing.T) {
  2493. username := "metadatauser"
  2494. assert.False(t, common.ActiveMetadataChecks.Remove(username))
  2495. user := dataprovider.User{
  2496. BaseUser: sdk.BaseUser{
  2497. Username: username,
  2498. Password: "metadata_pwd",
  2499. HomeDir: filepath.Join(os.TempDir(), username),
  2500. Status: 1,
  2501. },
  2502. }
  2503. user.Permissions = make(map[string][]string)
  2504. user.Permissions["/"] = []string{dataprovider.PermAny}
  2505. err := dataprovider.AddUser(&user, "", "", "")
  2506. assert.NoError(t, err)
  2507. assert.True(t, common.ActiveMetadataChecks.Add(username, ""))
  2508. tokenAuth := jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil)
  2509. claims := make(map[string]any)
  2510. claims["username"] = defaultAdminUsername
  2511. claims[jwt.ExpirationKey] = time.Now().UTC().Add(1 * time.Hour)
  2512. token, _, err := tokenAuth.Encode(claims)
  2513. assert.NoError(t, err)
  2514. req, err := http.NewRequest(http.MethodPost, path.Join(metadataBasePath, username, "check"), nil)
  2515. assert.NoError(t, err)
  2516. rctx := chi.NewRouteContext()
  2517. rctx.URLParams.Add("username", username)
  2518. req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
  2519. req = req.WithContext(context.WithValue(req.Context(), jwtauth.TokenCtxKey, token))
  2520. rr := httptest.NewRecorder()
  2521. startMetadataCheck(rr, req)
  2522. assert.Equal(t, http.StatusConflict, rr.Code, rr.Body.String())
  2523. assert.True(t, common.ActiveMetadataChecks.Remove(username))
  2524. assert.Len(t, common.ActiveMetadataChecks.Get(""), 0)
  2525. err = dataprovider.DeleteUser(username, "", "", "")
  2526. assert.NoError(t, err)
  2527. user.FsConfig.Provider = sdk.AzureBlobFilesystemProvider
  2528. err = doMetadataCheck(user)
  2529. assert.Error(t, err)
  2530. }
  2531. func TestBrowsableSharePaths(t *testing.T) {
  2532. share := dataprovider.Share{
  2533. Paths: []string{"/"},
  2534. Username: defaultAdminUsername,
  2535. }
  2536. _, err := getUserForShare(share)
  2537. if assert.Error(t, err) {
  2538. assert.ErrorIs(t, err, util.ErrNotFound)
  2539. }
  2540. req, err := http.NewRequest(http.MethodGet, "/share", nil)
  2541. require.NoError(t, err)
  2542. name, err := getBrowsableSharedPath(share, req)
  2543. assert.NoError(t, err)
  2544. assert.Equal(t, "/", name)
  2545. req, err = http.NewRequest(http.MethodGet, "/share?path=abc", nil)
  2546. require.NoError(t, err)
  2547. name, err = getBrowsableSharedPath(share, req)
  2548. assert.NoError(t, err)
  2549. assert.Equal(t, "/abc", name)
  2550. share.Paths = []string{"/a/b/c"}
  2551. req, err = http.NewRequest(http.MethodGet, "/share?path=abc", nil)
  2552. require.NoError(t, err)
  2553. name, err = getBrowsableSharedPath(share, req)
  2554. assert.NoError(t, err)
  2555. assert.Equal(t, "/a/b/c/abc", name)
  2556. req, err = http.NewRequest(http.MethodGet, "/share?path=%2Fabc/d", nil)
  2557. require.NoError(t, err)
  2558. name, err = getBrowsableSharedPath(share, req)
  2559. assert.NoError(t, err)
  2560. assert.Equal(t, "/a/b/c/abc/d", name)
  2561. req, err = http.NewRequest(http.MethodGet, "/share?path=%2Fabc%2F..%2F..", nil)
  2562. require.NoError(t, err)
  2563. _, err = getBrowsableSharedPath(share, req)
  2564. assert.Error(t, err)
  2565. req, err = http.NewRequest(http.MethodGet, "/share?path=%2Fabc%2F..", nil)
  2566. require.NoError(t, err)
  2567. name, err = getBrowsableSharedPath(share, req)
  2568. assert.NoError(t, err)
  2569. assert.Equal(t, "/a/b/c", name)
  2570. share = dataprovider.Share{
  2571. Paths: []string{"/a", "/b"},
  2572. }
  2573. }
  2574. func TestSecureMiddlewareIntegration(t *testing.T) {
  2575. forwardedHostHeader := "X-Forwarded-Host"
  2576. server := httpdServer{
  2577. binding: Binding{
  2578. ProxyAllowed: []string{"192.168.1.0/24"},
  2579. Security: SecurityConf{
  2580. Enabled: true,
  2581. AllowedHosts: []string{"*.sftpgo.com"},
  2582. AllowedHostsAreRegex: true,
  2583. HostsProxyHeaders: []string{forwardedHostHeader},
  2584. HTTPSProxyHeaders: []HTTPSProxyHeader{
  2585. {
  2586. Key: xForwardedProto,
  2587. Value: "https",
  2588. },
  2589. },
  2590. STSSeconds: 31536000,
  2591. STSIncludeSubdomains: true,
  2592. STSPreload: true,
  2593. ContentTypeNosniff: true,
  2594. },
  2595. },
  2596. enableWebAdmin: true,
  2597. enableWebClient: true,
  2598. enableRESTAPI: true,
  2599. }
  2600. server.binding.Security.updateProxyHeaders()
  2601. err := server.binding.parseAllowedProxy()
  2602. assert.NoError(t, err)
  2603. assert.Equal(t, []string{forwardedHostHeader, xForwardedProto}, server.binding.Security.proxyHeaders)
  2604. assert.Equal(t, map[string]string{xForwardedProto: "https"}, server.binding.Security.getHTTPSProxyHeaders())
  2605. server.initializeRouter()
  2606. rr := httptest.NewRecorder()
  2607. r, err := http.NewRequest(http.MethodGet, webClientLoginPath, nil)
  2608. assert.NoError(t, err)
  2609. r.Host = "127.0.0.1"
  2610. server.router.ServeHTTP(rr, r)
  2611. assert.Equal(t, http.StatusForbidden, rr.Code)
  2612. rr = httptest.NewRecorder()
  2613. r.Header.Set(forwardedHostHeader, "www.sftpgo.com")
  2614. server.router.ServeHTTP(rr, r)
  2615. assert.Equal(t, http.StatusForbidden, rr.Code)
  2616. // the header should be removed
  2617. assert.Empty(t, r.Header.Get(forwardedHostHeader))
  2618. rr = httptest.NewRecorder()
  2619. r.Host = "test.sftpgo.com"
  2620. r.Header.Set(forwardedHostHeader, "test.example.com")
  2621. r.RemoteAddr = "192.168.1.1"
  2622. server.router.ServeHTTP(rr, r)
  2623. assert.Equal(t, http.StatusForbidden, rr.Code)
  2624. assert.NotEmpty(t, r.Header.Get(forwardedHostHeader))
  2625. rr = httptest.NewRecorder()
  2626. r.Header.Set(forwardedHostHeader, "www.sftpgo.com")
  2627. r.RemoteAddr = "192.168.1.1"
  2628. server.router.ServeHTTP(rr, r)
  2629. assert.Equal(t, http.StatusOK, rr.Code)
  2630. assert.NotEmpty(t, r.Header.Get(forwardedHostHeader))
  2631. assert.Empty(t, rr.Header().Get("Strict-Transport-Security"))
  2632. assert.Equal(t, "nosniff", rr.Header().Get("X-Content-Type-Options"))
  2633. // now set the X-Forwarded-Proto to https, we should get the Strict-Transport-Security header
  2634. rr = httptest.NewRecorder()
  2635. r.Host = "test.sftpgo.com"
  2636. r.Header.Set(xForwardedProto, "https")
  2637. r.RemoteAddr = "192.168.1.3"
  2638. server.router.ServeHTTP(rr, r)
  2639. assert.Equal(t, http.StatusOK, rr.Code)
  2640. assert.NotEmpty(t, r.Header.Get(forwardedHostHeader))
  2641. assert.Equal(t, "max-age=31536000; includeSubDomains; preload", rr.Header().Get("Strict-Transport-Security"))
  2642. assert.Equal(t, "nosniff", rr.Header().Get("X-Content-Type-Options"))
  2643. server.binding.Security.Enabled = false
  2644. server.binding.Security.updateProxyHeaders()
  2645. assert.Len(t, server.binding.Security.proxyHeaders, 0)
  2646. }
  2647. func TestGetCompressedFileName(t *testing.T) {
  2648. username := "test"
  2649. res := getCompressedFileName(username, []string{"single dir"})
  2650. require.Equal(t, fmt.Sprintf("%s-single dir.zip", username), res)
  2651. res = getCompressedFileName(username, []string{"file1", "file2"})
  2652. require.Equal(t, fmt.Sprintf("%s-download.zip", username), res)
  2653. res = getCompressedFileName(username, []string{"file1.txt"})
  2654. require.Equal(t, fmt.Sprintf("%s-file1.zip", username), res)
  2655. // now files with full paths
  2656. res = getCompressedFileName(username, []string{"/dir/single dir"})
  2657. require.Equal(t, fmt.Sprintf("%s-single dir.zip", username), res)
  2658. res = getCompressedFileName(username, []string{"/adir/file1", "/adir/file2"})
  2659. require.Equal(t, fmt.Sprintf("%s-download.zip", username), res)
  2660. res = getCompressedFileName(username, []string{"/sub/dir/file1.txt"})
  2661. require.Equal(t, fmt.Sprintf("%s-file1.zip", username), res)
  2662. }
  2663. func TestRESTAPIDisabled(t *testing.T) {
  2664. server := httpdServer{
  2665. enableWebAdmin: true,
  2666. enableWebClient: true,
  2667. enableRESTAPI: false,
  2668. }
  2669. server.initializeRouter()
  2670. assert.False(t, server.enableRESTAPI)
  2671. rr := httptest.NewRecorder()
  2672. r, err := http.NewRequest(http.MethodGet, healthzPath, nil)
  2673. assert.NoError(t, err)
  2674. server.router.ServeHTTP(rr, r)
  2675. assert.Equal(t, http.StatusOK, rr.Code)
  2676. rr = httptest.NewRecorder()
  2677. r, err = http.NewRequest(http.MethodGet, tokenPath, nil)
  2678. assert.NoError(t, err)
  2679. server.router.ServeHTTP(rr, r)
  2680. assert.Equal(t, http.StatusNotFound, rr.Code)
  2681. }
  2682. func TestWebAdminSetupWithInstallCode(t *testing.T) {
  2683. installationCode = "1234"
  2684. // delete all the admins
  2685. admins, err := dataprovider.GetAdmins(100, 0, dataprovider.OrderASC)
  2686. assert.NoError(t, err)
  2687. for _, admin := range admins {
  2688. err = dataprovider.DeleteAdmin(admin.Username, "", "", "")
  2689. assert.NoError(t, err)
  2690. }
  2691. // close the provider and initializes it without creating the default admin
  2692. providerConf := dataprovider.GetProviderConfig()
  2693. providerConf.CreateDefaultAdmin = false
  2694. err = dataprovider.Close()
  2695. assert.NoError(t, err)
  2696. err = dataprovider.Initialize(providerConf, configDir, true)
  2697. assert.NoError(t, err)
  2698. server := httpdServer{
  2699. enableWebAdmin: true,
  2700. enableWebClient: true,
  2701. enableRESTAPI: true,
  2702. }
  2703. server.initializeRouter()
  2704. rr := httptest.NewRecorder()
  2705. r, err := http.NewRequest(http.MethodGet, webAdminSetupPath, nil)
  2706. assert.NoError(t, err)
  2707. server.router.ServeHTTP(rr, r)
  2708. assert.Equal(t, http.StatusOK, rr.Code)
  2709. for _, webURL := range []string{"/", webBasePath, webBaseAdminPath, webAdminLoginPath, webClientLoginPath} {
  2710. rr = httptest.NewRecorder()
  2711. r, err = http.NewRequest(http.MethodGet, webURL, nil)
  2712. assert.NoError(t, err)
  2713. server.router.ServeHTTP(rr, r)
  2714. assert.Equal(t, http.StatusFound, rr.Code)
  2715. assert.Equal(t, webAdminSetupPath, rr.Header().Get("Location"))
  2716. }
  2717. form := make(url.Values)
  2718. csrfToken := createCSRFToken("")
  2719. form.Set("_form_token", csrfToken)
  2720. form.Set("install_code", installationCode+"5")
  2721. form.Set("username", defaultAdminUsername)
  2722. form.Set("password", "password")
  2723. form.Set("confirm_password", "password")
  2724. rr = httptest.NewRecorder()
  2725. r, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))
  2726. assert.NoError(t, err)
  2727. r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  2728. server.router.ServeHTTP(rr, r)
  2729. assert.Equal(t, http.StatusOK, rr.Code)
  2730. assert.Contains(t, rr.Body.String(), "Installation code mismatch")
  2731. _, err = dataprovider.AdminExists(defaultAdminUsername)
  2732. assert.Error(t, err)
  2733. form.Set("install_code", installationCode)
  2734. rr = httptest.NewRecorder()
  2735. r, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))
  2736. assert.NoError(t, err)
  2737. r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  2738. server.router.ServeHTTP(rr, r)
  2739. assert.Equal(t, http.StatusFound, rr.Code)
  2740. _, err = dataprovider.AdminExists(defaultAdminUsername)
  2741. assert.NoError(t, err)
  2742. // delete the admin and test the installation code resolver
  2743. err = dataprovider.DeleteAdmin(defaultAdminUsername, "", "", "")
  2744. assert.NoError(t, err)
  2745. err = dataprovider.Close()
  2746. assert.NoError(t, err)
  2747. err = dataprovider.Initialize(providerConf, configDir, true)
  2748. assert.NoError(t, err)
  2749. SetInstallationCodeResolver(func(defaultInstallationCode string) string {
  2750. return "5678"
  2751. })
  2752. rr = httptest.NewRecorder()
  2753. r, err = http.NewRequest(http.MethodGet, webAdminSetupPath, nil)
  2754. assert.NoError(t, err)
  2755. server.router.ServeHTTP(rr, r)
  2756. assert.Equal(t, http.StatusOK, rr.Code)
  2757. for _, webURL := range []string{"/", webBasePath, webBaseAdminPath, webAdminLoginPath, webClientLoginPath} {
  2758. rr = httptest.NewRecorder()
  2759. r, err = http.NewRequest(http.MethodGet, webURL, nil)
  2760. assert.NoError(t, err)
  2761. server.router.ServeHTTP(rr, r)
  2762. assert.Equal(t, http.StatusFound, rr.Code)
  2763. assert.Equal(t, webAdminSetupPath, rr.Header().Get("Location"))
  2764. }
  2765. form = make(url.Values)
  2766. csrfToken = createCSRFToken("")
  2767. form.Set("_form_token", csrfToken)
  2768. form.Set("install_code", installationCode)
  2769. form.Set("username", defaultAdminUsername)
  2770. form.Set("password", "password")
  2771. form.Set("confirm_password", "password")
  2772. rr = httptest.NewRecorder()
  2773. r, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))
  2774. assert.NoError(t, err)
  2775. r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  2776. server.router.ServeHTTP(rr, r)
  2777. assert.Equal(t, http.StatusOK, rr.Code)
  2778. assert.Contains(t, rr.Body.String(), "Installation code mismatch")
  2779. _, err = dataprovider.AdminExists(defaultAdminUsername)
  2780. assert.Error(t, err)
  2781. form.Set("install_code", "5678")
  2782. rr = httptest.NewRecorder()
  2783. r, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))
  2784. assert.NoError(t, err)
  2785. r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
  2786. server.router.ServeHTTP(rr, r)
  2787. assert.Equal(t, http.StatusFound, rr.Code)
  2788. _, err = dataprovider.AdminExists(defaultAdminUsername)
  2789. assert.NoError(t, err)
  2790. err = dataprovider.Close()
  2791. assert.NoError(t, err)
  2792. providerConf.CreateDefaultAdmin = true
  2793. err = dataprovider.Initialize(providerConf, configDir, true)
  2794. assert.NoError(t, err)
  2795. installationCode = ""
  2796. SetInstallationCodeResolver(nil)
  2797. }
  2798. func TestDbResetCodeManager(t *testing.T) {
  2799. if !isSharedProviderSupported() {
  2800. t.Skip("this test it is not available with this provider")
  2801. }
  2802. mgr := newResetCodeManager(1)
  2803. resetCode := newResetCode("admin", true)
  2804. err := mgr.Add(resetCode)
  2805. assert.NoError(t, err)
  2806. codeGet, err := mgr.Get(resetCode.Code)
  2807. assert.NoError(t, err)
  2808. assert.Equal(t, resetCode, codeGet)
  2809. err = mgr.Delete(resetCode.Code)
  2810. assert.NoError(t, err)
  2811. err = mgr.Delete(resetCode.Code)
  2812. if assert.Error(t, err) {
  2813. assert.ErrorIs(t, err, util.ErrNotFound)
  2814. }
  2815. _, err = mgr.Get(resetCode.Code)
  2816. assert.ErrorIs(t, err, sql.ErrNoRows)
  2817. // add an expired reset code
  2818. resetCode = newResetCode("user", false)
  2819. resetCode.ExpiresAt = time.Now().Add(-24 * time.Hour)
  2820. err = mgr.Add(resetCode)
  2821. assert.NoError(t, err)
  2822. _, err = mgr.Get(resetCode.Code)
  2823. if assert.Error(t, err) {
  2824. assert.Contains(t, err.Error(), "reset code expired")
  2825. }
  2826. mgr.Cleanup()
  2827. _, err = mgr.Get(resetCode.Code)
  2828. assert.ErrorIs(t, err, sql.ErrNoRows)
  2829. dbMgr, ok := mgr.(*dbResetCodeManager)
  2830. if assert.True(t, ok) {
  2831. _, err = dbMgr.decodeData("astring")
  2832. assert.Error(t, err)
  2833. }
  2834. }
  2835. func TestDecodeToken(t *testing.T) {
  2836. nodeID := "nodeID"
  2837. token := map[string]any{
  2838. claimUsernameKey: defaultAdminUsername,
  2839. claimPermissionsKey: []string{dataprovider.PermAdminAny},
  2840. jwt.SubjectKey: "",
  2841. claimNodeID: nodeID,
  2842. claimMustChangePasswordKey: false,
  2843. claimMustSetSecondFactorKey: true,
  2844. }
  2845. c := jwtTokenClaims{}
  2846. c.Decode(token)
  2847. assert.Equal(t, defaultAdminUsername, c.Username)
  2848. assert.Equal(t, nodeID, c.NodeID)
  2849. assert.False(t, c.MustChangePassword)
  2850. assert.True(t, c.MustSetTwoFactorAuth)
  2851. token[claimMustChangePasswordKey] = 10
  2852. c = jwtTokenClaims{}
  2853. c.Decode(token)
  2854. assert.False(t, c.MustChangePassword)
  2855. token[claimMustChangePasswordKey] = true
  2856. c = jwtTokenClaims{}
  2857. c.Decode(token)
  2858. assert.True(t, c.MustChangePassword)
  2859. claims := c.asMap()
  2860. assert.Equal(t, token, claims)
  2861. }
  2862. func TestEventRoleFilter(t *testing.T) {
  2863. defaultVal := "default"
  2864. req, err := http.NewRequest(http.MethodGet, fsEventsPath+"?role=role1", nil)
  2865. require.NoError(t, err)
  2866. role := getRoleFilterForEventSearch(req, defaultVal)
  2867. assert.Equal(t, defaultVal, role)
  2868. role = getRoleFilterForEventSearch(req, "")
  2869. assert.Equal(t, "role1", role)
  2870. }
  2871. func TestEventsCSV(t *testing.T) {
  2872. e := fsEvent{
  2873. Status: 1,
  2874. }
  2875. data := e.getCSVData()
  2876. assert.Equal(t, "OK", data[5])
  2877. e.Status = 2
  2878. data = e.getCSVData()
  2879. assert.Equal(t, "KO", data[5])
  2880. e.Status = 3
  2881. data = e.getCSVData()
  2882. assert.Equal(t, "Quota exceeded", data[5])
  2883. }
  2884. func TestConfigsFromProvider(t *testing.T) {
  2885. err := dataprovider.UpdateConfigs(nil, "", "", "")
  2886. assert.NoError(t, err)
  2887. c := Conf{
  2888. Bindings: []Binding{
  2889. {
  2890. Port: 1234,
  2891. },
  2892. {
  2893. Port: 80,
  2894. Security: SecurityConf{
  2895. Enabled: true,
  2896. HTTPSRedirect: true,
  2897. },
  2898. },
  2899. },
  2900. }
  2901. err = c.loadFromProvider()
  2902. assert.NoError(t, err)
  2903. assert.Empty(t, c.acmeDomain)
  2904. configs := dataprovider.Configs{
  2905. ACME: &dataprovider.ACMEConfigs{
  2906. Domain: "domain.com",
  2907. Email: "info@domain.com",
  2908. HTTP01Challenge: dataprovider.ACMEHTTP01Challenge{Port: 80},
  2909. Protocols: 1,
  2910. },
  2911. }
  2912. err = dataprovider.UpdateConfigs(&configs, "", "", "")
  2913. assert.NoError(t, err)
  2914. util.CertsBasePath = ""
  2915. // crt and key empty
  2916. err = c.loadFromProvider()
  2917. assert.NoError(t, err)
  2918. assert.Empty(t, c.acmeDomain)
  2919. util.CertsBasePath = filepath.Clean(os.TempDir())
  2920. // crt not found
  2921. err = c.loadFromProvider()
  2922. assert.NoError(t, err)
  2923. assert.Empty(t, c.acmeDomain)
  2924. keyPairs := c.getKeyPairs(configDir)
  2925. assert.Len(t, keyPairs, 0)
  2926. crtPath := filepath.Join(util.CertsBasePath, util.SanitizeDomain(configs.ACME.Domain)+".crt")
  2927. err = os.WriteFile(crtPath, nil, 0666)
  2928. assert.NoError(t, err)
  2929. // key not found
  2930. err = c.loadFromProvider()
  2931. assert.NoError(t, err)
  2932. assert.Empty(t, c.acmeDomain)
  2933. keyPairs = c.getKeyPairs(configDir)
  2934. assert.Len(t, keyPairs, 0)
  2935. keyPath := filepath.Join(util.CertsBasePath, util.SanitizeDomain(configs.ACME.Domain)+".key")
  2936. err = os.WriteFile(keyPath, nil, 0666)
  2937. assert.NoError(t, err)
  2938. // acme cert used
  2939. err = c.loadFromProvider()
  2940. assert.NoError(t, err)
  2941. assert.Equal(t, configs.ACME.Domain, c.acmeDomain)
  2942. keyPairs = c.getKeyPairs(configDir)
  2943. assert.Len(t, keyPairs, 1)
  2944. assert.True(t, c.Bindings[0].EnableHTTPS)
  2945. assert.False(t, c.Bindings[1].EnableHTTPS)
  2946. // protocols does not match
  2947. configs.ACME.Protocols = 6
  2948. err = dataprovider.UpdateConfigs(&configs, "", "", "")
  2949. assert.NoError(t, err)
  2950. c.acmeDomain = ""
  2951. err = c.loadFromProvider()
  2952. assert.NoError(t, err)
  2953. assert.Empty(t, c.acmeDomain)
  2954. keyPairs = c.getKeyPairs(configDir)
  2955. assert.Len(t, keyPairs, 0)
  2956. err = os.Remove(crtPath)
  2957. assert.NoError(t, err)
  2958. err = os.Remove(keyPath)
  2959. assert.NoError(t, err)
  2960. util.CertsBasePath = ""
  2961. err = dataprovider.UpdateConfigs(nil, "", "", "")
  2962. assert.NoError(t, err)
  2963. }
  2964. func TestHTTPSRedirect(t *testing.T) {
  2965. acmeWebRoot := filepath.Join(os.TempDir(), "acme")
  2966. err := os.MkdirAll(acmeWebRoot, os.ModePerm)
  2967. assert.NoError(t, err)
  2968. tokenName := "token"
  2969. err = os.WriteFile(filepath.Join(acmeWebRoot, tokenName), []byte("val"), 0666)
  2970. assert.NoError(t, err)
  2971. acmeConfig := acme.Configuration{
  2972. HTTP01Challenge: acme.HTTP01Challenge{WebRoot: acmeWebRoot},
  2973. }
  2974. err = acme.Initialize(acmeConfig, configDir, true)
  2975. require.NoError(t, err)
  2976. forwardedHostHeader := "X-Forwarded-Host"
  2977. server := httpdServer{
  2978. binding: Binding{
  2979. Security: SecurityConf{
  2980. Enabled: true,
  2981. HTTPSRedirect: true,
  2982. HostsProxyHeaders: []string{forwardedHostHeader},
  2983. },
  2984. },
  2985. }
  2986. server.initializeRouter()
  2987. rr := httptest.NewRecorder()
  2988. r, err := http.NewRequest(http.MethodGet, path.Join(acmeChallengeURI, tokenName), nil)
  2989. assert.NoError(t, err)
  2990. r.Host = "localhost"
  2991. r.RequestURI = path.Join(acmeChallengeURI, tokenName)
  2992. server.router.ServeHTTP(rr, r)
  2993. assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
  2994. rr = httptest.NewRecorder()
  2995. r, err = http.NewRequest(http.MethodGet, webAdminLoginPath, nil)
  2996. assert.NoError(t, err)
  2997. r.RequestURI = webAdminLoginPath
  2998. server.router.ServeHTTP(rr, r)
  2999. assert.Equal(t, http.StatusTemporaryRedirect, rr.Code, rr.Body.String())
  3000. rr = httptest.NewRecorder()
  3001. r, err = http.NewRequest(http.MethodGet, webAdminLoginPath, nil)
  3002. assert.NoError(t, err)
  3003. r.RequestURI = webAdminLoginPath
  3004. r.Header.Set(forwardedHostHeader, "sftpgo.com")
  3005. server.router.ServeHTTP(rr, r)
  3006. assert.Equal(t, http.StatusTemporaryRedirect, rr.Code, rr.Body.String())
  3007. assert.Contains(t, rr.Body.String(), "https://sftpgo.com")
  3008. server.binding.Security.HTTPSHost = "myhost:1044"
  3009. rr = httptest.NewRecorder()
  3010. r, err = http.NewRequest(http.MethodGet, webAdminLoginPath, nil)
  3011. assert.NoError(t, err)
  3012. r.RequestURI = webAdminLoginPath
  3013. server.router.ServeHTTP(rr, r)
  3014. assert.Equal(t, http.StatusTemporaryRedirect, rr.Code, rr.Body.String())
  3015. assert.Contains(t, rr.Body.String(), "https://myhost:1044")
  3016. err = os.RemoveAll(acmeWebRoot)
  3017. assert.NoError(t, err)
  3018. }
  3019. func TestGetLogEventString(t *testing.T) {
  3020. assert.Equal(t, "Login failed", getLogEventString(notifier.LogEventTypeLoginFailed))
  3021. assert.Equal(t, "Login with non-existent user", getLogEventString(notifier.LogEventTypeLoginNoUser))
  3022. assert.Equal(t, "No login tried", getLogEventString(notifier.LogEventTypeNoLoginTried))
  3023. assert.Equal(t, "Algorithm negotiation failed", getLogEventString(notifier.LogEventTypeNotNegotiated))
  3024. assert.Empty(t, getLogEventString(0))
  3025. }
  3026. func TestUserQuotaUsage(t *testing.T) {
  3027. usage := userQuotaUsage{
  3028. QuotaSize: 100,
  3029. }
  3030. require.True(t, usage.HasQuotaInfo())
  3031. require.NotEmpty(t, usage.GetQuotaSize())
  3032. providerConf := dataprovider.GetProviderConfig()
  3033. quotaTracking := dataprovider.GetQuotaTracking()
  3034. providerConf.TrackQuota = 0
  3035. err := dataprovider.Close()
  3036. assert.NoError(t, err)
  3037. err = dataprovider.Initialize(providerConf, configDir, true)
  3038. assert.NoError(t, err)
  3039. err = dataprovider.Close()
  3040. assert.NoError(t, err)
  3041. assert.False(t, usage.HasQuotaInfo())
  3042. providerConf.TrackQuota = quotaTracking
  3043. err = dataprovider.Initialize(providerConf, configDir, true)
  3044. assert.NoError(t, err)
  3045. usage.QuotaSize = 0
  3046. assert.False(t, usage.HasQuotaInfo())
  3047. assert.Empty(t, usage.GetQuotaSize())
  3048. assert.Equal(t, 0, usage.GetQuotaSizePercentage())
  3049. assert.False(t, usage.IsQuotaSizeLow())
  3050. assert.False(t, usage.IsDiskQuotaLow())
  3051. assert.False(t, usage.IsQuotaLow())
  3052. usage.UsedQuotaSize = 9
  3053. assert.NotEmpty(t, usage.GetQuotaSize())
  3054. usage.QuotaSize = 10
  3055. assert.True(t, usage.IsQuotaSizeLow())
  3056. assert.True(t, usage.IsDiskQuotaLow())
  3057. assert.True(t, usage.IsQuotaLow())
  3058. usage.DownloadDataTransfer = 1
  3059. assert.True(t, usage.HasQuotaInfo())
  3060. assert.True(t, usage.HasTranferQuota())
  3061. assert.Empty(t, usage.GetQuotaFiles())
  3062. assert.Equal(t, 0, usage.GetQuotaFilesPercentage())
  3063. usage.QuotaFiles = 1
  3064. assert.NotEmpty(t, usage.GetQuotaFiles())
  3065. usage.QuotaFiles = 0
  3066. usage.UsedQuotaFiles = 9
  3067. assert.NotEmpty(t, usage.GetQuotaFiles())
  3068. usage.QuotaFiles = 10
  3069. usage.DownloadDataTransfer = 0
  3070. assert.True(t, usage.IsQuotaFilesLow())
  3071. assert.True(t, usage.IsDiskQuotaLow())
  3072. assert.False(t, usage.IsTotalTransferQuotaLow())
  3073. assert.False(t, usage.IsUploadTransferQuotaLow())
  3074. assert.False(t, usage.IsDownloadTransferQuotaLow())
  3075. assert.Equal(t, 0, usage.GetTotalTransferQuotaPercentage())
  3076. assert.Equal(t, 0, usage.GetUploadTransferQuotaPercentage())
  3077. assert.Equal(t, 0, usage.GetDownloadTransferQuotaPercentage())
  3078. assert.Empty(t, usage.GetTotalTransferQuota())
  3079. assert.Empty(t, usage.GetUploadTransferQuota())
  3080. assert.Empty(t, usage.GetDownloadTransferQuota())
  3081. usage.TotalDataTransfer = 3
  3082. usage.UsedUploadDataTransfer = 1 * 1048576
  3083. assert.NotEmpty(t, usage.GetTotalTransferQuota())
  3084. usage.TotalDataTransfer = 0
  3085. assert.NotEmpty(t, usage.GetTotalTransferQuota())
  3086. assert.NotEmpty(t, usage.GetUploadTransferQuota())
  3087. usage.UploadDataTransfer = 2
  3088. assert.NotEmpty(t, usage.GetUploadTransferQuota())
  3089. usage.UsedDownloadDataTransfer = 1 * 1048576
  3090. assert.NotEmpty(t, usage.GetDownloadTransferQuota())
  3091. usage.DownloadDataTransfer = 2
  3092. assert.NotEmpty(t, usage.GetDownloadTransferQuota())
  3093. assert.False(t, usage.IsTransferQuotaLow())
  3094. usage.UsedDownloadDataTransfer = 8 * 1048576
  3095. usage.TotalDataTransfer = 10
  3096. assert.True(t, usage.IsTotalTransferQuotaLow())
  3097. assert.True(t, usage.IsTransferQuotaLow())
  3098. usage.TotalDataTransfer = 0
  3099. usage.UploadDataTransfer = 0
  3100. usage.DownloadDataTransfer = 0
  3101. assert.False(t, usage.IsTransferQuotaLow())
  3102. usage.UploadDataTransfer = 10
  3103. usage.UsedUploadDataTransfer = 9 * 1048576
  3104. assert.True(t, usage.IsUploadTransferQuotaLow())
  3105. assert.True(t, usage.IsTransferQuotaLow())
  3106. usage.DownloadDataTransfer = 10
  3107. usage.UsedDownloadDataTransfer = 9 * 1048576
  3108. assert.True(t, usage.IsDownloadTransferQuotaLow())
  3109. assert.True(t, usage.IsTransferQuotaLow())
  3110. }
  3111. func TestShareRedirectURL(t *testing.T) {
  3112. shareID := util.GenerateUniqueID()
  3113. base := path.Join(webClientPubSharesPath, shareID)
  3114. next := path.Join(webClientPubSharesPath, shareID, "browse")
  3115. ok, res := checkShareRedirectURL(next, base)
  3116. assert.True(t, ok)
  3117. assert.Equal(t, next, res)
  3118. next = path.Join(webClientPubSharesPath, shareID, "browse") + "?a=b"
  3119. ok, res = checkShareRedirectURL(next, base)
  3120. assert.True(t, ok)
  3121. assert.Equal(t, next, res)
  3122. next = path.Join(webClientPubSharesPath, shareID)
  3123. ok, res = checkShareRedirectURL(next, base)
  3124. assert.True(t, ok)
  3125. assert.Equal(t, path.Join(base, "download"), res)
  3126. next = path.Join(webClientEditFilePath, shareID)
  3127. ok, res = checkShareRedirectURL(next, base)
  3128. assert.False(t, ok)
  3129. assert.Empty(t, res)
  3130. next = path.Join(webClientPubSharesPath, shareID) + "?compress=false&a=b"
  3131. ok, res = checkShareRedirectURL(next, base)
  3132. assert.True(t, ok)
  3133. assert.Equal(t, path.Join(base, "download?compress=false&a=b"), res)
  3134. next = path.Join(webClientPubSharesPath, shareID) + "?compress=true&b=c"
  3135. ok, res = checkShareRedirectURL(next, base)
  3136. assert.True(t, ok)
  3137. assert.Equal(t, path.Join(base, "download?compress=true&b=c"), res)
  3138. ok, res = checkShareRedirectURL("http://foo\x7f.com/ab", "http://foo\x7f.com/")
  3139. assert.False(t, ok)
  3140. assert.Empty(t, res)
  3141. ok, res = checkShareRedirectURL("http://foo.com/?foo\nbar", "http://foo.com")
  3142. assert.False(t, ok)
  3143. assert.Empty(t, res)
  3144. }
  3145. func isSharedProviderSupported() bool {
  3146. // SQLite shares the implementation with other SQL-based provider but it makes no sense
  3147. // to use it outside test cases
  3148. switch dataprovider.GetProviderStatus().Driver {
  3149. case dataprovider.MySQLDataProviderName, dataprovider.PGSQLDataProviderName,
  3150. dataprovider.CockroachDataProviderName, dataprovider.SQLiteDataProviderName:
  3151. return true
  3152. default:
  3153. return false
  3154. }
  3155. }