beenull/servnest
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
servnest/sftpgo-auth.php
Miraty 94fd035010 sftpgo-auth: allow chmod
2023-09-20 18:47:26 +02:00

55 lines
2.1 KiB
PHP
Raw Blame History

<?php declare(strict_types=1);
// ServNest authenticator for SFTPGo https://github.com/drakkan/sftpgo/blob/main/docs/external-auth.md
const DEBUG = false;
!DEBUG or ob_start();
require 'init.php';
function deny(string $reason): never {
!DEBUG or file_put_contents(ROOT_PATH . '/db/debug.txt', ob_get_contents() . $reason . LF);
http_response_code(403);
exit();
}
if (CONF['common']['services']['ht'] !== 'enabled')
deny('Service not enabled.');
$auth_data = json_decode(file_get_contents('php://input'), true, flags: JSON_THROW_ON_ERROR);
$username = hashUsername($auth_data['username']);
if (usernameExists($username) !== true)
deny('This username doesn\'t exist.');
$account = query('select', 'users', ['username' => $username])[0];
if (!in_array('ht', explode(',', $account['services']), true))
deny('Service not enabled for this user.');
const SFTPGO_DENY_PERMS = ['/' => ['list']];
const SFTPGO_ALLOW_PERMS = ['list', 'download', 'upload', 'overwrite', 'delete_files', 'delete_dirs', 'rename_files', 'rename_dirs', 'create_dirs', 'chmod', 'chtimes'];
if ($auth_data['password'] !== '') {
if (checkPassword($account['id'], $auth_data['password']) !== true)
deny('Wrong password.');
$permissions['/'] = SFTPGO_ALLOW_PERMS;
} else if ($auth_data['public_key'] !== '') {
$permissions = SFTPGO_DENY_PERMS;
foreach (query('select', 'ssh-keys', ['username' => $account['id']]) as $key)
if (hash_equals('ssh-ed25519 ' . $key['key'] . LF, $auth_data['public_key']))
$permissions[$key['directory']] = SFTPGO_ALLOW_PERMS;
if ($permissions === SFTPGO_DENY_PERMS)
deny('No matching SSH key allowed.');
} else
deny('Unknown authentication method.');
echo json_encode([
'status' => 1,
'username' => $auth_data['username'],
'home_dir' => CONF['ht']['ht_path'] . '/fs/' . $account['id'],
'quota_size' => ($account['type'] === 'approved') ? CONF['ht']['user_quota_approved'] : CONF['ht']['user_quota_testing'],
'permissions' => $permissions,
], JSON_THROW_ON_ERROR | JSON_UNESCAPED_SLASHES);
!DEBUG or file_put_contents(ROOT_PATH . '/db/debug.txt', ob_get_contents() . 'accepted');
http_response_code(200);
Reference in a new issue View git blame Copy permalink