beenull/sftpgo-mirror
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2024-11-22 15:40:23 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
sftpgo-mirror/httpd/api_user.go

208 lines
6.4 KiB
Go
Raw Normal View History

add a basic web interface The builtin web interface allows to manage users and connections
2019-10-07 16:19:01 +00:00
package httpd
first version
2019-07-20 10:26:52 +00:00
import (
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197
2021-01-17 21:29:08 +00:00
"context"
first version
2019-07-20 10:26:52 +00:00
"errors"
REST API/Web admin: add a parameter to disconnect a user after an update This way you can force the user to login again and so to use the updated configuration. A deleted user will be automatically disconnected. Fixes #163 Improved some docs too.
2020-09-01 14:10:26 +00:00
"fmt"
first version
2019-07-20 10:26:52 +00:00
"net/http"
"strconv"
"github.com/go-chi/render"
add more linters test cases migration to testify is now complete. Linters are enabled for test cases too
2020-05-06 17:36:34 +00:00
REST API/Web admin: add a parameter to disconnect a user after an update This way you can force the user to login again and so to use the updated configuration. A deleted user will be automatically disconnected. Fixes #163 Improved some docs too.
2020-09-01 14:10:26 +00:00
"github.com/drakkan/sftpgo/common"
add more linters test cases migration to testify is now complete. Linters are enabled for test cases too
2020-05-06 17:36:34 +00:00
"github.com/drakkan/sftpgo/dataprovider"
add KMS support Fixes #226
2020-11-30 20:46:34 +00:00
"github.com/drakkan/sftpgo/kms"
add a dedicated struct to store encrypted credentials also gcs credentials are now encrypted, both on disk and inside the provider. Data provider is automatically migrated and load data will accept old format too but you should upgrade to the new format to avoid future issues
2020-11-22 20:53:04 +00:00
"github.com/drakkan/sftpgo/vfs"
first version
2019-07-20 10:26:52 +00:00
)
func getUsers(w http.ResponseWriter, r *http.Request) {
virtual folders: change dataprovider structure This way we no longer depend on the local file system path and so we can add support for cloud backends in future updates
2021-02-01 18:04:15 +00:00
limit, offset, order, err := getSearchFilters(w, r)
if err != nil {
return
first version
2019-07-20 10:26:52 +00:00
}
virtual folders: change dataprovider structure This way we no longer depend on the local file system path and so we can add support for cloud backends in future updates
2021-02-01 18:04:15 +00:00
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197
2021-01-17 21:29:08 +00:00
users, err := dataprovider.GetUsers(limit, offset, order)
first version
2019-07-20 10:26:52 +00:00
if err == nil {
render.JSON(w, r, users)
} else {
sendAPIResponse(w, r, err, "", http.StatusInternalServerError)
}
}
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197
2021-01-17 21:29:08 +00:00
func getUserByUsername(w http.ResponseWriter, r *http.Request) {
username := getURLParam(r, "username")
renderUser(w, r, username, http.StatusOK)
}
func renderUser(w http.ResponseWriter, r *http.Request, username string, status int) {
user, err := dataprovider.UserExists(username)
first version
2019-07-20 10:26:52 +00:00
if err != nil {
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197
2021-01-17 21:29:08 +00:00
sendAPIResponse(w, r, err, "", getRespStatus(err))
first version
2019-07-20 10:26:52 +00:00
return
}
kms: add a lock, secrets could be modified concurrently for cached users also reduce the size of the JSON payload omitting empty secrets
2021-03-22 18:03:25 +00:00
user.PrepareForRendering()
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197
2021-01-17 21:29:08 +00:00
if status != http.StatusOK {
virtual folders: change dataprovider structure This way we no longer depend on the local file system path and so we can add support for cloud backends in future updates
2021-02-01 18:04:15 +00:00
ctx := context.WithValue(r.Context(), render.StatusCtxKey, status)
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197
2021-01-17 21:29:08 +00:00
render.JSON(w, r.WithContext(ctx), user)
first version
2019-07-20 10:26:52 +00:00
} else {
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197
2021-01-17 21:29:08 +00:00
render.JSON(w, r, user)
first version
2019-07-20 10:26:52 +00:00
}
}
func addUser(w http.ResponseWriter, r *http.Request) {
add support for serving Google Cloud Storage over SFTP/SCP Each user can be mapped with a Google Cloud Storage bucket or a bucket virtual folder
2020-01-31 18:04:00 +00:00
r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
first version
2019-07-20 10:26:52 +00:00
var user dataprovider.User
err := render.DecodeJSON(r.Body, &user)
if err != nil {
sendAPIResponse(w, r, err, "", http.StatusBadRequest)
return
}
add KMS support Fixes #226
2020-11-30 20:46:34 +00:00
user.SetEmptySecretsIfNil()
add a dedicated struct to store encrypted credentials also gcs credentials are now encrypted, both on disk and inside the provider. Data provider is automatically migrated and load data will accept old format too but you should upgrade to the new format to avoid future issues
2020-11-22 20:53:04 +00:00
switch user.FsConfig.Provider {
extend virtual folders support to all storage backends Fixes #241
2021-03-21 18:15:47 +00:00
case vfs.S3FilesystemProvider:
add a dedicated struct to store encrypted credentials also gcs credentials are now encrypted, both on disk and inside the provider. Data provider is automatically migrated and load data will accept old format too but you should upgrade to the new format to avoid future issues
2020-11-22 20:53:04 +00:00
if user.FsConfig.S3Config.AccessSecret.IsRedacted() {
sendAPIResponse(w, r, errors.New("invalid access_secret"), "", http.StatusBadRequest)
return
}
extend virtual folders support to all storage backends Fixes #241
2021-03-21 18:15:47 +00:00
case vfs.GCSFilesystemProvider:
add a dedicated struct to store encrypted credentials also gcs credentials are now encrypted, both on disk and inside the provider. Data provider is automatically migrated and load data will accept old format too but you should upgrade to the new format to avoid future issues
2020-11-22 20:53:04 +00:00
if user.FsConfig.GCSConfig.Credentials.IsRedacted() {
sendAPIResponse(w, r, errors.New("invalid credentials"), "", http.StatusBadRequest)
return
}
extend virtual folders support to all storage backends Fixes #241
2021-03-21 18:15:47 +00:00
case vfs.AzureBlobFilesystemProvider:
add a dedicated struct to store encrypted credentials also gcs credentials are now encrypted, both on disk and inside the provider. Data provider is automatically migrated and load data will accept old format too but you should upgrade to the new format to avoid future issues
2020-11-22 20:53:04 +00:00
if user.FsConfig.AzBlobConfig.AccountKey.IsRedacted() {
sendAPIResponse(w, r, errors.New("invalid account_key"), "", http.StatusBadRequest)
return
}
extend virtual folders support to all storage backends Fixes #241
2021-03-21 18:15:47 +00:00
case vfs.CryptedFilesystemProvider:
add Data At Rest Encryption support
2020-12-05 12:48:13 +00:00
if user.FsConfig.CryptConfig.Passphrase.IsRedacted() {
sendAPIResponse(w, r, errors.New("invalid passphrase"), "", http.StatusBadRequest)
return
}
extend virtual folders support to all storage backends Fixes #241
2021-03-21 18:15:47 +00:00
case vfs.SFTPFilesystemProvider:
add sftpfs storage backend Fixes #224
2020-12-12 09:31:09 +00:00
if user.FsConfig.SFTPConfig.Password.IsRedacted() {
sendAPIResponse(w, r, errors.New("invalid SFTP password"), "", http.StatusBadRequest)
return
}
if user.FsConfig.SFTPConfig.PrivateKey.IsRedacted() {
sendAPIResponse(w, r, errors.New("invalid SFTP private key"), "", http.StatusBadRequest)
return
}
add a dedicated struct to store encrypted credentials also gcs credentials are now encrypted, both on disk and inside the provider. Data provider is automatically migrated and load data will accept old format too but you should upgrade to the new format to avoid future issues
2020-11-22 20:53:04 +00:00
}
fix a potential race condition for pre-login and ext auth hooks doing something like this: err = provider.updateUser(u) ... return provider.userExists(username) could be racy if another update happen before provider.userExists(username) also pass a pointer to updateUser so if the user is modified inside "validateUser" we can just return the modified user without do a new query
2021-01-05 08:50:22 +00:00
err = dataprovider.AddUser(&user)
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197
2021-01-17 21:29:08 +00:00
if err != nil {
first version
2019-07-20 10:26:52 +00:00
sendAPIResponse(w, r, err, "", getRespStatus(err))
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197
2021-01-17 21:29:08 +00:00
return
first version
2019-07-20 10:26:52 +00:00
}
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197
2021-01-17 21:29:08 +00:00
renderUser(w, r, user.Username, http.StatusCreated)
first version
2019-07-20 10:26:52 +00:00
}
func updateUser(w http.ResponseWriter, r *http.Request) {
add support for serving Google Cloud Storage over SFTP/SCP Each user can be mapped with a Google Cloud Storage bucket or a bucket virtual folder
2020-01-31 18:04:00 +00:00
r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197
2021-01-17 21:29:08 +00:00
var err error
username := getURLParam(r, "username")
REST API/Web admin: add a parameter to disconnect a user after an update This way you can force the user to login again and so to use the updated configuration. A deleted user will be automatically disconnected. Fixes #163 Improved some docs too.
2020-09-01 14:10:26 +00:00
disconnect := 0
if _, ok := r.URL.Query()["disconnect"]; ok {
disconnect, err = strconv.Atoi(r.URL.Query().Get("disconnect"))
if err != nil {
err = fmt.Errorf("invalid disconnect parameter: %v", err)
sendAPIResponse(w, r, err, "", http.StatusBadRequest)
return
}
}
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197
2021-01-17 21:29:08 +00:00
user, err := dataprovider.UserExists(username)
Add API endpoint to set current quota Fixes #130
2020-06-20 10:38:04 +00:00
if err != nil {
sendAPIResponse(w, r, err, "", getRespStatus(err))
return
}
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197
2021-01-17 21:29:08 +00:00
userID := user.ID
add support for serving Google Cloud Storage over SFTP/SCP Each user can be mapped with a Google Cloud Storage bucket or a bucket virtual folder
2020-01-31 18:04:00 +00:00
currentPermissions := user.Permissions
add sftpfs storage backend Fixes #224
2020-12-12 09:31:09 +00:00
currentS3AccessSecret := user.FsConfig.S3Config.AccessSecret
currentAzAccountKey := user.FsConfig.AzBlobConfig.AccountKey
currentGCSCredentials := user.FsConfig.GCSConfig.Credentials
currentCryptoPassphrase := user.FsConfig.CryptConfig.Passphrase
currentSFTPPassword := user.FsConfig.SFTPConfig.Password
currentSFTPKey := user.FsConfig.SFTPConfig.PrivateKey
add Data At Rest Encryption support
2020-12-05 12:48:13 +00:00
add per directory permissions we can now have permissions such as these ones {"/":["*"],"/somedir":["list","download"]} The old permissions are automatically converted to the new structure, no database migration is needed
2019-12-25 17:20:19 +00:00
user.Permissions = make(map[string][]string)
add a dedicated struct to store encrypted credentials also gcs credentials are now encrypted, both on disk and inside the provider. Data provider is automatically migrated and load data will accept old format too but you should upgrade to the new format to avoid future issues
2020-11-22 20:53:04 +00:00
user.FsConfig.S3Config = vfs.S3FsConfig{}
user.FsConfig.AzBlobConfig = vfs.AzBlobFsConfig{}
user.FsConfig.GCSConfig = vfs.GCSFsConfig{}
add Data At Rest Encryption support
2020-12-05 12:48:13 +00:00
user.FsConfig.CryptConfig = vfs.CryptFsConfig{}
add sftpfs storage backend Fixes #224
2020-12-12 09:31:09 +00:00
user.FsConfig.SFTPConfig = vfs.SFTPFsConfig{}
extend virtual folders support to all storage backends Fixes #241
2021-03-21 18:15:47 +00:00
user.VirtualFolders = nil
first version
2019-07-20 10:26:52 +00:00
err = render.DecodeJSON(r.Body, &user)
if err != nil {
sendAPIResponse(w, r, err, "", http.StatusBadRequest)
return
}
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197
2021-01-17 21:29:08 +00:00
user.ID = userID
user.Username = username
add KMS support Fixes #226
2020-11-30 20:46:34 +00:00
user.SetEmptySecretsIfNil()
add per directory permissions we can now have permissions such as these ones {"/":["*"],"/somedir":["list","download"]} The old permissions are automatically converted to the new structure, no database migration is needed
2019-12-25 17:20:19 +00:00
// we use new Permissions if passed otherwise the old ones
if len(user.Permissions) == 0 {
add support for serving Google Cloud Storage over SFTP/SCP Each user can be mapped with a Google Cloud Storage bucket or a bucket virtual folder
2020-01-31 18:04:00 +00:00
user.Permissions = currentPermissions
add per directory permissions we can now have permissions such as these ones {"/":["*"],"/somedir":["list","download"]} The old permissions are automatically converted to the new structure, no database migration is needed
2019-12-25 17:20:19 +00:00
}
extend virtual folders support to all storage backends Fixes #241
2021-03-21 18:15:47 +00:00
updateEncryptedSecrets(&user.FsConfig, currentS3AccessSecret, currentAzAccountKey, currentGCSCredentials, currentCryptoPassphrase,
add sftpfs storage backend Fixes #224
2020-12-12 09:31:09 +00:00
currentSFTPPassword, currentSFTPKey)
fix a potential race condition for pre-login and ext auth hooks doing something like this: err = provider.updateUser(u) ... return provider.userExists(username) could be racy if another update happen before provider.userExists(username) also pass a pointer to updateUser so if the user is modified inside "validateUser" we can just return the modified user without do a new query
2021-01-05 08:50:22 +00:00
err = dataprovider.UpdateUser(&user)
first version
2019-07-20 10:26:52 +00:00
if err != nil {
sendAPIResponse(w, r, err, "", getRespStatus(err))
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197
2021-01-17 21:29:08 +00:00
return
}
sendAPIResponse(w, r, err, "User updated", http.StatusOK)
if disconnect == 1 {
disconnectUser(user.Username)
first version
2019-07-20 10:26:52 +00:00
}
}
func deleteUser(w http.ResponseWriter, r *http.Request) {
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197
2021-01-17 21:29:08 +00:00
username := getURLParam(r, "username")
err := dataprovider.DeleteUser(username)
Add API endpoint to set current quota Fixes #130
2020-06-20 10:38:04 +00:00
if err != nil {
sendAPIResponse(w, r, err, "", getRespStatus(err))
first version
2019-07-20 10:26:52 +00:00
return
}
REST API v2 - add JWT authentication - admins are now stored inside the data provider - admin access can be restricted based on the source IP: both proxy header and connection IP are checked - deprecate REST API CLI: it is not relevant anymore Some other changes to the REST API can still happen before releasing SFTPGo 2.0.0 Fixes #197
2021-01-17 21:29:08 +00:00
sendAPIResponse(w, r, err, "User deleted", http.StatusOK)
disconnectUser(username)
REST API/Web admin: add a parameter to disconnect a user after an update This way you can force the user to login again and so to use the updated configuration. A deleted user will be automatically disconnected. Fixes #163 Improved some docs too.
2020-09-01 14:10:26 +00:00
}
func disconnectUser(username string) {
for _, stat := range common.Connections.GetStats() {
if stat.Username == username {
common.Connections.Close(stat.ConnectionID)
}
first version
2019-07-20 10:26:52 +00:00
}
}
add Azure Blob support
2020-10-25 07:18:48 +00:00
extend virtual folders support to all storage backends Fixes #241
2021-03-21 18:15:47 +00:00
func updateEncryptedSecrets(fsConfig *vfs.Filesystem, currentS3AccessSecret, currentAzAccountKey,
add sftpfs storage backend Fixes #224
2020-12-12 09:31:09 +00:00
currentGCSCredentials, currentCryptoPassphrase, currentSFTPPassword, currentSFTPKey *kms.Secret) {
add a dedicated struct to store encrypted credentials also gcs credentials are now encrypted, both on disk and inside the provider. Data provider is automatically migrated and load data will accept old format too but you should upgrade to the new format to avoid future issues
2020-11-22 20:53:04 +00:00
// we use the new access secret if plain or empty, otherwise the old value
extend virtual folders support to all storage backends Fixes #241
2021-03-21 18:15:47 +00:00
switch fsConfig.Provider {
case vfs.S3FilesystemProvider:
if fsConfig.S3Config.AccessSecret.IsNotPlainAndNotEmpty() {
fsConfig.S3Config.AccessSecret = currentS3AccessSecret
add Azure Blob support
2020-10-25 07:18:48 +00:00
}
extend virtual folders support to all storage backends Fixes #241
2021-03-21 18:15:47 +00:00
case vfs.AzureBlobFilesystemProvider:
if fsConfig.AzBlobConfig.AccountKey.IsNotPlainAndNotEmpty() {
fsConfig.AzBlobConfig.AccountKey = currentAzAccountKey
add Azure Blob support
2020-10-25 07:18:48 +00:00
}
extend virtual folders support to all storage backends Fixes #241
2021-03-21 18:15:47 +00:00
case vfs.GCSFilesystemProvider:
if fsConfig.GCSConfig.Credentials.IsNotPlainAndNotEmpty() {
fsConfig.GCSConfig.Credentials = currentGCSCredentials
add a dedicated struct to store encrypted credentials also gcs credentials are now encrypted, both on disk and inside the provider. Data provider is automatically migrated and load data will accept old format too but you should upgrade to the new format to avoid future issues
2020-11-22 20:53:04 +00:00
}
extend virtual folders support to all storage backends Fixes #241
2021-03-21 18:15:47 +00:00
case vfs.CryptedFilesystemProvider:
if fsConfig.CryptConfig.Passphrase.IsNotPlainAndNotEmpty() {
fsConfig.CryptConfig.Passphrase = currentCryptoPassphrase
add Data At Rest Encryption support
2020-12-05 12:48:13 +00:00
}
extend virtual folders support to all storage backends Fixes #241
2021-03-21 18:15:47 +00:00
case vfs.SFTPFilesystemProvider:
if fsConfig.SFTPConfig.Password.IsNotPlainAndNotEmpty() {
fsConfig.SFTPConfig.Password = currentSFTPPassword
add sftpfs storage backend Fixes #224
2020-12-12 09:31:09 +00:00
}
extend virtual folders support to all storage backends Fixes #241
2021-03-21 18:15:47 +00:00
if fsConfig.SFTPConfig.PrivateKey.IsNotPlainAndNotEmpty() {
fsConfig.SFTPConfig.PrivateKey = currentSFTPKey
add sftpfs storage backend Fixes #224
2020-12-12 09:31:09 +00:00
}
add Data At Rest Encryption support
2020-12-05 12:48:13 +00:00
}
add Azure Blob support
2020-10-25 07:18:48 +00:00
}
Reference in a new issue Copy permalink