2019-07-20 10:26:52 +00:00
|
|
|
package dataprovider
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/json"
|
2020-06-07 21:30:18 +00:00
|
|
|
"errors"
|
2019-10-07 16:19:01 +00:00
|
|
|
"fmt"
|
2019-12-30 17:37:50 +00:00
|
|
|
"net"
|
2020-02-23 10:30:26 +00:00
|
|
|
"os"
|
2019-12-25 17:20:19 +00:00
|
|
|
"path"
|
2019-07-20 10:26:52 +00:00
|
|
|
"path/filepath"
|
2019-10-07 16:19:01 +00:00
|
|
|
"strconv"
|
2020-03-01 21:10:29 +00:00
|
|
|
"strings"
|
2020-02-23 10:30:26 +00:00
|
|
|
"time"
|
2019-07-20 10:26:52 +00:00
|
|
|
|
2019-12-30 17:37:50 +00:00
|
|
|
"github.com/drakkan/sftpgo/logger"
|
2019-07-20 10:26:52 +00:00
|
|
|
"github.com/drakkan/sftpgo/utils"
|
2020-01-19 06:41:05 +00:00
|
|
|
"github.com/drakkan/sftpgo/vfs"
|
2019-07-20 10:26:52 +00:00
|
|
|
)
|
|
|
|
|
2019-07-30 18:51:29 +00:00
|
|
|
// Available permissions for SFTP users
|
2019-07-20 10:26:52 +00:00
|
|
|
const (
|
2019-07-30 18:51:29 +00:00
|
|
|
// All permissions are granted
|
|
|
|
PermAny = "*"
|
|
|
|
// List items such as files and directories is allowed
|
|
|
|
PermListItems = "list"
|
|
|
|
// download files is allowed
|
|
|
|
PermDownload = "download"
|
|
|
|
// upload files is allowed
|
|
|
|
PermUpload = "upload"
|
2019-09-17 06:53:45 +00:00
|
|
|
// overwrite an existing file, while uploading, is allowed
|
|
|
|
// upload permission is required to allow file overwrite
|
|
|
|
PermOverwrite = "overwrite"
|
2019-07-30 18:51:29 +00:00
|
|
|
// delete files or directories is allowed
|
|
|
|
PermDelete = "delete"
|
|
|
|
// rename files or directories is allowed
|
|
|
|
PermRename = "rename"
|
|
|
|
// create directories is allowed
|
|
|
|
PermCreateDirs = "create_dirs"
|
|
|
|
// create symbolic links is allowed
|
2019-07-20 10:26:52 +00:00
|
|
|
PermCreateSymlinks = "create_symlinks"
|
2019-11-15 11:15:07 +00:00
|
|
|
// changing file or directory permissions is allowed
|
|
|
|
PermChmod = "chmod"
|
2019-11-15 11:26:52 +00:00
|
|
|
// changing file or directory owner and group is allowed
|
2019-11-15 11:15:07 +00:00
|
|
|
PermChown = "chown"
|
2019-11-16 09:23:41 +00:00
|
|
|
// changing file or directory access and modification time is allowed
|
|
|
|
PermChtimes = "chtimes"
|
2019-07-20 10:26:52 +00:00
|
|
|
)
|
|
|
|
|
2020-02-19 21:39:30 +00:00
|
|
|
// Available SSH login methods
|
|
|
|
const (
|
|
|
|
SSHLoginMethodPublicKey = "publickey"
|
|
|
|
SSHLoginMethodPassword = "password"
|
|
|
|
SSHLoginMethodKeyboardInteractive = "keyboard-interactive"
|
2020-04-09 21:32:42 +00:00
|
|
|
SSHLoginMethodKeyAndPassword = "publickey+password"
|
|
|
|
SSHLoginMethodKeyAndKeyboardInt = "publickey+keyboard-interactive"
|
2020-02-19 21:39:30 +00:00
|
|
|
)
|
|
|
|
|
2020-06-07 21:30:18 +00:00
|
|
|
var (
|
|
|
|
errNoMatchingVirtualFolder = errors.New("no matching virtual folder found")
|
|
|
|
)
|
|
|
|
|
2020-03-01 21:10:29 +00:00
|
|
|
// ExtensionsFilter defines filters based on file extensions.
|
|
|
|
// These restrictions do not apply to files listing for performance reasons, so
|
|
|
|
// a denied file cannot be downloaded/overwritten/renamed but will still be
|
|
|
|
// it will still be listed in the list of files.
|
|
|
|
// System commands such as Git and rsync interacts with the filesystem directly
|
|
|
|
// and they are not aware about these restrictions so rsync is not allowed if
|
|
|
|
// extensions filters are defined and Git is not allowed inside a path with
|
|
|
|
// extensions filters
|
|
|
|
type ExtensionsFilter struct {
|
|
|
|
// SFTP/SCP path, if no other specific filter is defined, the filter apply for
|
|
|
|
// sub directories too.
|
|
|
|
// For example if filters are defined for the paths "/" and "/sub" then the
|
|
|
|
// filters for "/" are applied for any file outside the "/sub" directory
|
|
|
|
Path string `json:"path"`
|
|
|
|
// only files with these, case insensitive, extensions are allowed.
|
|
|
|
// Shell like expansion is not supported so you have to specify ".jpg" and
|
|
|
|
// not "*.jpg"
|
|
|
|
AllowedExtensions []string `json:"allowed_extensions,omitempty"`
|
|
|
|
// files with these, case insensitive, extensions are not allowed.
|
|
|
|
// Denied file extensions are evaluated before the allowed ones
|
|
|
|
DeniedExtensions []string `json:"denied_extensions,omitempty"`
|
|
|
|
}
|
|
|
|
|
2019-12-30 17:37:50 +00:00
|
|
|
// UserFilters defines additional restrictions for a user
|
|
|
|
type UserFilters struct {
|
|
|
|
// only clients connecting from these IP/Mask are allowed.
|
|
|
|
// IP/Mask must be in CIDR notation as defined in RFC 4632 and RFC 4291
|
|
|
|
// for example "192.0.2.0/24" or "2001:db8::/32"
|
2020-02-19 21:39:30 +00:00
|
|
|
AllowedIP []string `json:"allowed_ip,omitempty"`
|
2019-12-30 17:37:50 +00:00
|
|
|
// clients connecting from these IP/Mask are not allowed.
|
|
|
|
// Denied rules will be evaluated before allowed ones
|
2020-02-19 21:39:30 +00:00
|
|
|
DeniedIP []string `json:"denied_ip,omitempty"`
|
|
|
|
// these login methods are not allowed.
|
|
|
|
// If null or empty any available login method is allowed
|
|
|
|
DeniedLoginMethods []string `json:"denied_login_methods,omitempty"`
|
2020-03-01 21:10:29 +00:00
|
|
|
// filters based on file extensions.
|
|
|
|
// Please note that these restrictions can be easily bypassed.
|
|
|
|
FileExtensions []ExtensionsFilter `json:"file_extensions,omitempty"`
|
2019-12-30 17:37:50 +00:00
|
|
|
}
|
|
|
|
|
2020-01-19 06:41:05 +00:00
|
|
|
// Filesystem defines cloud storage filesystem details
|
|
|
|
type Filesystem struct {
|
2020-01-31 18:04:00 +00:00
|
|
|
// 0 local filesystem, 1 Amazon S3 compatible, 2 Google Cloud Storage
|
|
|
|
Provider int `json:"provider"`
|
|
|
|
S3Config vfs.S3FsConfig `json:"s3config,omitempty"`
|
|
|
|
GCSConfig vfs.GCSFsConfig `json:"gcsconfig,omitempty"`
|
2020-01-19 06:41:05 +00:00
|
|
|
}
|
|
|
|
|
2019-07-20 10:26:52 +00:00
|
|
|
// User defines an SFTP user
|
|
|
|
type User struct {
|
2019-07-30 18:51:29 +00:00
|
|
|
// Database unique identifier
|
|
|
|
ID int64 `json:"id"`
|
2019-11-13 10:36:21 +00:00
|
|
|
// 1 enabled, 0 disabled (login is not allowed)
|
|
|
|
Status int `json:"status"`
|
2019-07-30 18:51:29 +00:00
|
|
|
// Username
|
|
|
|
Username string `json:"username"`
|
2019-11-13 10:36:21 +00:00
|
|
|
// Account expiration date as unix timestamp in milliseconds. An expired account cannot login.
|
|
|
|
// 0 means no expiration
|
|
|
|
ExpirationDate int64 `json:"expiration_date"`
|
2019-07-30 18:51:29 +00:00
|
|
|
// Password used for password authentication.
|
|
|
|
// For users created using SFTPGo REST API the password is be stored using argon2id hashing algo.
|
2020-01-31 18:04:00 +00:00
|
|
|
// Checking passwords stored with bcrypt, pbkdf2, md5crypt and sha512crypt is supported too.
|
2019-07-30 18:51:29 +00:00
|
|
|
Password string `json:"password,omitempty"`
|
2019-08-07 21:41:10 +00:00
|
|
|
// PublicKeys used for public key authentication. At least one between password and a public key is mandatory
|
|
|
|
PublicKeys []string `json:"public_keys,omitempty"`
|
2019-07-30 18:51:29 +00:00
|
|
|
// The user cannot upload or download files outside this directory. Must be an absolute path
|
|
|
|
HomeDir string `json:"home_dir"`
|
2020-06-07 21:30:18 +00:00
|
|
|
// Mapping between virtual paths and filesystem paths outside the home directory.
|
|
|
|
// Supported for local filesystem only
|
2020-02-23 10:30:26 +00:00
|
|
|
VirtualFolders []vfs.VirtualFolder `json:"virtual_folders,omitempty"`
|
2019-07-30 18:51:29 +00:00
|
|
|
// If sftpgo runs as root system user then the created files and directories will be assigned to this system UID
|
|
|
|
UID int `json:"uid"`
|
|
|
|
// If sftpgo runs as root system user then the created files and directories will be assigned to this system GID
|
|
|
|
GID int `json:"gid"`
|
|
|
|
// Maximum concurrent sessions. 0 means unlimited
|
|
|
|
MaxSessions int `json:"max_sessions"`
|
|
|
|
// Maximum size allowed as bytes. 0 means unlimited
|
|
|
|
QuotaSize int64 `json:"quota_size"`
|
|
|
|
// Maximum number of files allowed. 0 means unlimited
|
|
|
|
QuotaFiles int `json:"quota_files"`
|
|
|
|
// List of the granted permissions
|
2019-12-25 17:20:19 +00:00
|
|
|
Permissions map[string][]string `json:"permissions"`
|
2019-07-30 18:51:29 +00:00
|
|
|
// Used quota as bytes
|
|
|
|
UsedQuotaSize int64 `json:"used_quota_size"`
|
|
|
|
// Used quota as number of files
|
|
|
|
UsedQuotaFiles int `json:"used_quota_files"`
|
|
|
|
// Last quota update as unix timestamp in milliseconds
|
|
|
|
LastQuotaUpdate int64 `json:"last_quota_update"`
|
|
|
|
// Maximum upload bandwidth as KB/s, 0 means unlimited
|
|
|
|
UploadBandwidth int64 `json:"upload_bandwidth"`
|
|
|
|
// Maximum download bandwidth as KB/s, 0 means unlimited
|
|
|
|
DownloadBandwidth int64 `json:"download_bandwidth"`
|
2019-11-13 10:36:21 +00:00
|
|
|
// Last login as unix timestamp in milliseconds
|
|
|
|
LastLogin int64 `json:"last_login"`
|
2019-12-30 17:37:50 +00:00
|
|
|
// Additional restrictions
|
|
|
|
Filters UserFilters `json:"filters"`
|
2020-01-19 06:41:05 +00:00
|
|
|
// Filesystem configuration details
|
|
|
|
FsConfig Filesystem `json:"filesystem"`
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetFilesystem returns the filesystem for this user
|
|
|
|
func (u *User) GetFilesystem(connectionID string) (vfs.Fs, error) {
|
|
|
|
if u.FsConfig.Provider == 1 {
|
|
|
|
return vfs.NewS3Fs(connectionID, u.GetHomeDir(), u.FsConfig.S3Config)
|
2020-01-31 18:04:00 +00:00
|
|
|
} else if u.FsConfig.Provider == 2 {
|
|
|
|
config := u.FsConfig.GCSConfig
|
|
|
|
config.CredentialFile = u.getGCSCredentialsFilePath()
|
|
|
|
return vfs.NewGCSFs(connectionID, u.GetHomeDir(), config)
|
2020-01-19 06:41:05 +00:00
|
|
|
}
|
2020-02-23 10:30:26 +00:00
|
|
|
return vfs.NewOsFs(connectionID, u.GetHomeDir(), u.VirtualFolders), nil
|
2019-07-20 10:26:52 +00:00
|
|
|
}
|
|
|
|
|
2020-01-05 10:41:25 +00:00
|
|
|
// GetPermissionsForPath returns the permissions for the given path.
|
|
|
|
// The path must be an SFTP path
|
2019-12-25 17:20:19 +00:00
|
|
|
func (u *User) GetPermissionsForPath(p string) []string {
|
|
|
|
permissions := []string{}
|
|
|
|
if perms, ok := u.Permissions["/"]; ok {
|
|
|
|
// if only root permissions are defined returns them unconditionally
|
|
|
|
if len(u.Permissions) == 1 {
|
|
|
|
return perms
|
|
|
|
}
|
|
|
|
// fallback permissions
|
|
|
|
permissions = perms
|
|
|
|
}
|
2020-02-23 10:30:26 +00:00
|
|
|
dirsForPath := utils.GetDirsForSFTPPath(p)
|
2019-12-25 17:20:19 +00:00
|
|
|
// dirsForPath contains all the dirs for a given path in reverse order
|
|
|
|
// for example if the path is: /1/2/3/4 it contains:
|
|
|
|
// [ "/1/2/3/4", "/1/2/3", "/1/2", "/1", "/" ]
|
|
|
|
// so the first match is the one we are interested to
|
|
|
|
for _, val := range dirsForPath {
|
|
|
|
if perms, ok := u.Permissions[val]; ok {
|
|
|
|
permissions = perms
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return permissions
|
|
|
|
}
|
|
|
|
|
2020-06-07 21:30:18 +00:00
|
|
|
// GetVirtualFolderForPath returns the virtual folder containing the specified sftp path.
|
|
|
|
// If the path is not inside a virtual folder an error is returned
|
|
|
|
func (u *User) GetVirtualFolderForPath(sftpPath string) (vfs.VirtualFolder, error) {
|
|
|
|
var folder vfs.VirtualFolder
|
2020-05-01 13:27:53 +00:00
|
|
|
if len(u.VirtualFolders) == 0 || u.FsConfig.Provider != 0 {
|
2020-06-07 21:30:18 +00:00
|
|
|
return folder, errNoMatchingVirtualFolder
|
2020-05-01 13:27:53 +00:00
|
|
|
}
|
|
|
|
dirsForPath := utils.GetDirsForSFTPPath(path.Dir(sftpPath))
|
|
|
|
for _, val := range dirsForPath {
|
|
|
|
for _, v := range u.VirtualFolders {
|
|
|
|
if v.VirtualPath == val {
|
2020-06-07 21:30:18 +00:00
|
|
|
return v, nil
|
2020-05-01 13:27:53 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2020-06-07 21:30:18 +00:00
|
|
|
return folder, errNoMatchingVirtualFolder
|
2020-05-01 13:27:53 +00:00
|
|
|
}
|
|
|
|
|
2020-02-23 10:30:26 +00:00
|
|
|
// AddVirtualDirs adds virtual folders, if defined, to the given files list
|
|
|
|
func (u *User) AddVirtualDirs(list []os.FileInfo, sftpPath string) []os.FileInfo {
|
|
|
|
if len(u.VirtualFolders) == 0 {
|
|
|
|
return list
|
|
|
|
}
|
|
|
|
for _, v := range u.VirtualFolders {
|
|
|
|
if path.Dir(v.VirtualPath) == sftpPath {
|
|
|
|
fi := vfs.NewFileInfo(path.Base(v.VirtualPath), true, 0, time.Time{})
|
|
|
|
found := false
|
|
|
|
for index, f := range list {
|
|
|
|
if f.Name() == fi.Name() {
|
|
|
|
list[index] = fi
|
|
|
|
found = true
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if !found {
|
|
|
|
list = append(list, fi)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return list
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsVirtualFolder returns true if the specified sftp path is a virtual folder
|
|
|
|
func (u *User) IsVirtualFolder(sftpPath string) bool {
|
|
|
|
for _, v := range u.VirtualFolders {
|
|
|
|
if sftpPath == v.VirtualPath {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2020-06-07 21:30:18 +00:00
|
|
|
// HasVirtualFoldersInside return true if there are virtual folders inside the
|
|
|
|
// specified SFTP path. We assume that path are cleaned
|
|
|
|
func (u *User) HasVirtualFoldersInside(sftpPath string) bool {
|
|
|
|
for _, v := range u.VirtualFolders {
|
|
|
|
if len(v.VirtualPath) > len(sftpPath) {
|
|
|
|
if strings.HasPrefix(v.VirtualPath, sftpPath+"/") {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2019-07-20 10:26:52 +00:00
|
|
|
// HasPerm returns true if the user has the given permission or any permission
|
2019-12-25 17:20:19 +00:00
|
|
|
func (u *User) HasPerm(permission, path string) bool {
|
|
|
|
perms := u.GetPermissionsForPath(path)
|
|
|
|
if utils.IsStringInSlice(PermAny, perms) {
|
2019-07-20 10:26:52 +00:00
|
|
|
return true
|
|
|
|
}
|
2019-12-25 17:20:19 +00:00
|
|
|
return utils.IsStringInSlice(permission, perms)
|
2019-07-20 10:26:52 +00:00
|
|
|
}
|
|
|
|
|
2019-11-26 21:26:42 +00:00
|
|
|
// HasPerms return true if the user has all the given permissions
|
2019-12-25 17:20:19 +00:00
|
|
|
func (u *User) HasPerms(permissions []string, path string) bool {
|
|
|
|
perms := u.GetPermissionsForPath(path)
|
|
|
|
if utils.IsStringInSlice(PermAny, perms) {
|
2019-11-26 21:26:42 +00:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
for _, permission := range permissions {
|
2019-12-25 17:20:19 +00:00
|
|
|
if !utils.IsStringInSlice(permission, perms) {
|
2019-11-26 21:26:42 +00:00
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2020-06-07 21:30:18 +00:00
|
|
|
// HasNoQuotaRestrictions returns true if no quota restrictions need to be applyed
|
|
|
|
func (u *User) HasNoQuotaRestrictions(checkFiles bool) bool {
|
|
|
|
if u.QuotaSize == 0 && (!checkFiles || u.QuotaFiles == 0) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
2020-04-09 21:32:42 +00:00
|
|
|
// IsLoginMethodAllowed returns true if the specified login method is allowed
|
|
|
|
func (u *User) IsLoginMethodAllowed(loginMethod string, partialSuccessMethods []string) bool {
|
2020-02-19 21:39:30 +00:00
|
|
|
if len(u.Filters.DeniedLoginMethods) == 0 {
|
|
|
|
return true
|
|
|
|
}
|
2020-04-09 21:32:42 +00:00
|
|
|
if len(partialSuccessMethods) == 1 {
|
|
|
|
for _, method := range u.GetNextAuthMethods(partialSuccessMethods) {
|
|
|
|
if method == loginMethod {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if utils.IsStringInSlice(loginMethod, u.Filters.DeniedLoginMethods) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetNextAuthMethods returns the list of authentications methods that
|
|
|
|
// can continue for multi-step authentication
|
|
|
|
func (u *User) GetNextAuthMethods(partialSuccessMethods []string) []string {
|
|
|
|
var methods []string
|
|
|
|
if len(partialSuccessMethods) != 1 {
|
|
|
|
return methods
|
|
|
|
}
|
|
|
|
if partialSuccessMethods[0] != SSHLoginMethodPublicKey {
|
|
|
|
return methods
|
|
|
|
}
|
|
|
|
for _, method := range u.GetAllowedLoginMethods() {
|
|
|
|
if method == SSHLoginMethodKeyAndPassword {
|
|
|
|
methods = append(methods, SSHLoginMethodPassword)
|
|
|
|
}
|
|
|
|
if method == SSHLoginMethodKeyAndKeyboardInt {
|
|
|
|
methods = append(methods, SSHLoginMethodKeyboardInteractive)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return methods
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsPartialAuth returns true if the specified login method is a step for
|
|
|
|
// a multi-step Authentication.
|
|
|
|
// We support publickey+password and publickey+keyboard-interactive, so
|
|
|
|
// only publickey can returns partial success.
|
|
|
|
// We can have partial success if only multi-step Auth methods are enabled
|
|
|
|
func (u *User) IsPartialAuth(loginMethod string) bool {
|
|
|
|
if loginMethod != SSHLoginMethodPublicKey {
|
2020-02-19 21:39:30 +00:00
|
|
|
return false
|
|
|
|
}
|
2020-04-09 21:32:42 +00:00
|
|
|
for _, method := range u.GetAllowedLoginMethods() {
|
|
|
|
if !utils.IsStringInSlice(method, SSHMultiStepsLoginMethods) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
2020-02-19 21:39:30 +00:00
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2020-04-09 21:32:42 +00:00
|
|
|
// GetAllowedLoginMethods returns the allowed login methods
|
|
|
|
func (u *User) GetAllowedLoginMethods() []string {
|
|
|
|
var allowedMethods []string
|
|
|
|
for _, method := range ValidSSHLoginMethods {
|
|
|
|
if !utils.IsStringInSlice(method, u.Filters.DeniedLoginMethods) {
|
|
|
|
allowedMethods = append(allowedMethods, method)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return allowedMethods
|
|
|
|
}
|
|
|
|
|
2020-03-01 21:10:29 +00:00
|
|
|
// IsFileAllowed returns true if the specified file is allowed by the file restrictions filters
|
|
|
|
func (u *User) IsFileAllowed(sftpPath string) bool {
|
|
|
|
if len(u.Filters.FileExtensions) == 0 {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
dirsForPath := utils.GetDirsForSFTPPath(path.Dir(sftpPath))
|
|
|
|
var filter ExtensionsFilter
|
|
|
|
for _, dir := range dirsForPath {
|
|
|
|
for _, f := range u.Filters.FileExtensions {
|
|
|
|
if f.Path == dir {
|
|
|
|
filter = f
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if len(filter.Path) > 0 {
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if len(filter.Path) > 0 {
|
|
|
|
toMatch := strings.ToLower(sftpPath)
|
|
|
|
for _, denied := range filter.DeniedExtensions {
|
|
|
|
if strings.HasSuffix(toMatch, denied) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
for _, allowed := range filter.AllowedExtensions {
|
|
|
|
if strings.HasSuffix(toMatch, allowed) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return len(filter.AllowedExtensions) == 0
|
|
|
|
}
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
|
2020-02-19 21:39:30 +00:00
|
|
|
// IsLoginFromAddrAllowed returns true if the login is allowed from the specified remoteAddr.
|
2019-12-30 17:37:50 +00:00
|
|
|
// If AllowedIP is defined only the specified IP/Mask can login.
|
|
|
|
// If DeniedIP is defined the specified IP/Mask cannot login.
|
|
|
|
// If an IP is both allowed and denied then login will be denied
|
2020-02-19 21:39:30 +00:00
|
|
|
func (u *User) IsLoginFromAddrAllowed(remoteAddr string) bool {
|
2019-12-30 17:37:50 +00:00
|
|
|
if len(u.Filters.AllowedIP) == 0 && len(u.Filters.DeniedIP) == 0 {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
remoteIP := net.ParseIP(utils.GetIPFromRemoteAddress(remoteAddr))
|
|
|
|
// if remoteIP is invalid we allow login, this should never happen
|
|
|
|
if remoteIP == nil {
|
|
|
|
logger.Warn(logSender, "", "login allowed for invalid IP. remote address: %#v", remoteAddr)
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
for _, IPMask := range u.Filters.DeniedIP {
|
|
|
|
_, IPNet, err := net.ParseCIDR(IPMask)
|
|
|
|
if err != nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
if IPNet.Contains(remoteIP) {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
}
|
|
|
|
for _, IPMask := range u.Filters.AllowedIP {
|
|
|
|
_, IPNet, err := net.ParseCIDR(IPMask)
|
|
|
|
if err != nil {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
if IPNet.Contains(remoteIP) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return len(u.Filters.AllowedIP) == 0
|
|
|
|
}
|
|
|
|
|
2019-07-30 18:51:29 +00:00
|
|
|
// GetPermissionsAsJSON returns the permissions as json byte array
|
2019-07-20 10:26:52 +00:00
|
|
|
func (u *User) GetPermissionsAsJSON() ([]byte, error) {
|
|
|
|
return json.Marshal(u.Permissions)
|
|
|
|
}
|
|
|
|
|
2019-08-01 20:42:46 +00:00
|
|
|
// GetPublicKeysAsJSON returns the public keys as json byte array
|
|
|
|
func (u *User) GetPublicKeysAsJSON() ([]byte, error) {
|
2019-08-07 21:41:10 +00:00
|
|
|
return json.Marshal(u.PublicKeys)
|
2019-08-01 20:42:46 +00:00
|
|
|
}
|
|
|
|
|
2019-12-30 17:37:50 +00:00
|
|
|
// GetFiltersAsJSON returns the filters as json byte array
|
|
|
|
func (u *User) GetFiltersAsJSON() ([]byte, error) {
|
|
|
|
return json.Marshal(u.Filters)
|
|
|
|
}
|
|
|
|
|
2020-01-19 06:41:05 +00:00
|
|
|
// GetFsConfigAsJSON returns the filesystem config as json byte array
|
|
|
|
func (u *User) GetFsConfigAsJSON() ([]byte, error) {
|
|
|
|
return json.Marshal(u.FsConfig)
|
|
|
|
}
|
|
|
|
|
2019-07-30 18:51:29 +00:00
|
|
|
// GetUID returns a validate uid, suitable for use with os.Chown
|
2019-07-20 10:26:52 +00:00
|
|
|
func (u *User) GetUID() int {
|
|
|
|
if u.UID <= 0 || u.UID > 65535 {
|
|
|
|
return -1
|
|
|
|
}
|
|
|
|
return u.UID
|
|
|
|
}
|
|
|
|
|
2019-07-30 18:51:29 +00:00
|
|
|
// GetGID returns a validate gid, suitable for use with os.Chown
|
2019-07-20 10:26:52 +00:00
|
|
|
func (u *User) GetGID() int {
|
|
|
|
if u.GID <= 0 || u.GID > 65535 {
|
|
|
|
return -1
|
|
|
|
}
|
|
|
|
return u.GID
|
|
|
|
}
|
|
|
|
|
2019-07-30 18:51:29 +00:00
|
|
|
// GetHomeDir returns the shortest path name equivalent to the user's home directory
|
2019-07-20 10:26:52 +00:00
|
|
|
func (u *User) GetHomeDir() string {
|
|
|
|
return filepath.Clean(u.HomeDir)
|
|
|
|
}
|
2019-07-28 20:04:50 +00:00
|
|
|
|
2019-07-30 18:51:29 +00:00
|
|
|
// HasQuotaRestrictions returns true if there is a quota restriction on number of files or size or both
|
2019-07-28 20:04:50 +00:00
|
|
|
func (u *User) HasQuotaRestrictions() bool {
|
|
|
|
return u.QuotaFiles > 0 || u.QuotaSize > 0
|
|
|
|
}
|
2019-08-08 17:33:16 +00:00
|
|
|
|
2019-10-07 16:19:01 +00:00
|
|
|
// GetQuotaSummary returns used quota and limits if defined
|
|
|
|
func (u *User) GetQuotaSummary() string {
|
|
|
|
var result string
|
|
|
|
result = "Files: " + strconv.Itoa(u.UsedQuotaFiles)
|
|
|
|
if u.QuotaFiles > 0 {
|
|
|
|
result += "/" + strconv.Itoa(u.QuotaFiles)
|
|
|
|
}
|
|
|
|
if u.UsedQuotaSize > 0 || u.QuotaSize > 0 {
|
|
|
|
result += ". Size: " + utils.ByteCountSI(u.UsedQuotaSize)
|
|
|
|
if u.QuotaSize > 0 {
|
|
|
|
result += "/" + utils.ByteCountSI(u.QuotaSize)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return result
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetPermissionsAsString returns the user's permissions as comma separated string
|
|
|
|
func (u *User) GetPermissionsAsString() string {
|
2019-12-25 17:20:19 +00:00
|
|
|
result := ""
|
|
|
|
for dir, perms := range u.Permissions {
|
|
|
|
var dirPerms string
|
|
|
|
for _, p := range perms {
|
|
|
|
if len(dirPerms) > 0 {
|
|
|
|
dirPerms += ", "
|
|
|
|
}
|
|
|
|
dirPerms += p
|
|
|
|
}
|
|
|
|
dp := fmt.Sprintf("%#v: %#v", dir, dirPerms)
|
|
|
|
if dir == "/" {
|
|
|
|
if len(result) > 0 {
|
|
|
|
result = dp + ", " + result
|
|
|
|
} else {
|
|
|
|
result = dp
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if len(result) > 0 {
|
|
|
|
result += ", "
|
|
|
|
}
|
|
|
|
result += dp
|
2019-10-07 16:19:01 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return result
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetBandwidthAsString returns bandwidth limits if defines
|
|
|
|
func (u *User) GetBandwidthAsString() string {
|
|
|
|
result := "Download: "
|
|
|
|
if u.DownloadBandwidth > 0 {
|
|
|
|
result += utils.ByteCountSI(u.DownloadBandwidth*1000) + "/s."
|
|
|
|
} else {
|
2020-03-04 04:43:15 +00:00
|
|
|
result += "unlimited."
|
2019-10-07 16:19:01 +00:00
|
|
|
}
|
|
|
|
result += " Upload: "
|
|
|
|
if u.UploadBandwidth > 0 {
|
|
|
|
result += utils.ByteCountSI(u.UploadBandwidth*1000) + "/s."
|
|
|
|
} else {
|
2020-03-04 04:43:15 +00:00
|
|
|
result += "unlimited."
|
2019-10-07 16:19:01 +00:00
|
|
|
}
|
|
|
|
return result
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetInfoString returns user's info as string.
|
2020-01-31 18:04:00 +00:00
|
|
|
// Storage provider, number of public keys, max sessions, uid,
|
|
|
|
// gid, denied and allowed IP/Mask are returned
|
2019-10-07 16:19:01 +00:00
|
|
|
func (u *User) GetInfoString() string {
|
|
|
|
var result string
|
2019-11-13 10:36:21 +00:00
|
|
|
if u.LastLogin > 0 {
|
|
|
|
t := utils.GetTimeFromMsecSinceEpoch(u.LastLogin)
|
|
|
|
result += fmt.Sprintf("Last login: %v ", t.Format("2006-01-02 15:04:05")) // YYYY-MM-DD HH:MM:SS
|
|
|
|
}
|
2020-01-19 06:41:05 +00:00
|
|
|
if u.FsConfig.Provider == 1 {
|
2020-04-30 13:06:15 +00:00
|
|
|
result += "Storage: S3 "
|
2020-01-31 18:04:00 +00:00
|
|
|
} else if u.FsConfig.Provider == 2 {
|
2020-04-30 13:06:15 +00:00
|
|
|
result += "Storage: GCS "
|
2020-01-19 06:41:05 +00:00
|
|
|
}
|
2019-10-07 16:19:01 +00:00
|
|
|
if len(u.PublicKeys) > 0 {
|
|
|
|
result += fmt.Sprintf("Public keys: %v ", len(u.PublicKeys))
|
|
|
|
}
|
|
|
|
if u.MaxSessions > 0 {
|
|
|
|
result += fmt.Sprintf("Max sessions: %v ", u.MaxSessions)
|
|
|
|
}
|
|
|
|
if u.UID > 0 {
|
|
|
|
result += fmt.Sprintf("UID: %v ", u.UID)
|
|
|
|
}
|
|
|
|
if u.GID > 0 {
|
|
|
|
result += fmt.Sprintf("GID: %v ", u.GID)
|
|
|
|
}
|
2019-12-30 17:37:50 +00:00
|
|
|
if len(u.Filters.DeniedIP) > 0 {
|
|
|
|
result += fmt.Sprintf("Denied IP/Mask: %v ", len(u.Filters.DeniedIP))
|
|
|
|
}
|
|
|
|
if len(u.Filters.AllowedIP) > 0 {
|
|
|
|
result += fmt.Sprintf("Allowed IP/Mask: %v ", len(u.Filters.AllowedIP))
|
|
|
|
}
|
2019-10-07 16:19:01 +00:00
|
|
|
return result
|
|
|
|
}
|
2019-10-25 16:37:12 +00:00
|
|
|
|
2019-11-13 10:36:21 +00:00
|
|
|
// GetExpirationDateAsString returns expiration date formatted as YYYY-MM-DD
|
|
|
|
func (u *User) GetExpirationDateAsString() string {
|
|
|
|
if u.ExpirationDate > 0 {
|
|
|
|
t := utils.GetTimeFromMsecSinceEpoch(u.ExpirationDate)
|
|
|
|
return t.Format("2006-01-02")
|
|
|
|
}
|
|
|
|
return ""
|
|
|
|
}
|
|
|
|
|
2019-12-30 17:37:50 +00:00
|
|
|
// GetAllowedIPAsString returns the allowed IP as comma separated string
|
|
|
|
func (u User) GetAllowedIPAsString() string {
|
|
|
|
result := ""
|
|
|
|
for _, IPMask := range u.Filters.AllowedIP {
|
|
|
|
if len(result) > 0 {
|
|
|
|
result += ","
|
|
|
|
}
|
|
|
|
result += IPMask
|
|
|
|
}
|
|
|
|
return result
|
|
|
|
}
|
|
|
|
|
|
|
|
// GetDeniedIPAsString returns the denied IP as comma separated string
|
|
|
|
func (u User) GetDeniedIPAsString() string {
|
|
|
|
result := ""
|
|
|
|
for _, IPMask := range u.Filters.DeniedIP {
|
|
|
|
if len(result) > 0 {
|
|
|
|
result += ","
|
|
|
|
}
|
|
|
|
result += IPMask
|
|
|
|
}
|
|
|
|
return result
|
|
|
|
}
|
|
|
|
|
2019-10-25 16:37:12 +00:00
|
|
|
func (u *User) getACopy() User {
|
|
|
|
pubKeys := make([]string, len(u.PublicKeys))
|
|
|
|
copy(pubKeys, u.PublicKeys)
|
2020-02-23 10:30:26 +00:00
|
|
|
virtualFolders := make([]vfs.VirtualFolder, len(u.VirtualFolders))
|
|
|
|
copy(virtualFolders, u.VirtualFolders)
|
2019-12-25 17:20:19 +00:00
|
|
|
permissions := make(map[string][]string)
|
|
|
|
for k, v := range u.Permissions {
|
|
|
|
perms := make([]string, len(v))
|
|
|
|
copy(perms, v)
|
|
|
|
permissions[k] = perms
|
|
|
|
}
|
2019-12-30 17:37:50 +00:00
|
|
|
filters := UserFilters{}
|
|
|
|
filters.AllowedIP = make([]string, len(u.Filters.AllowedIP))
|
|
|
|
copy(filters.AllowedIP, u.Filters.AllowedIP)
|
|
|
|
filters.DeniedIP = make([]string, len(u.Filters.DeniedIP))
|
|
|
|
copy(filters.DeniedIP, u.Filters.DeniedIP)
|
2020-02-19 21:39:30 +00:00
|
|
|
filters.DeniedLoginMethods = make([]string, len(u.Filters.DeniedLoginMethods))
|
|
|
|
copy(filters.DeniedLoginMethods, u.Filters.DeniedLoginMethods)
|
2020-03-01 21:10:29 +00:00
|
|
|
filters.FileExtensions = make([]ExtensionsFilter, len(u.Filters.FileExtensions))
|
|
|
|
copy(filters.FileExtensions, u.Filters.FileExtensions)
|
2020-01-19 06:41:05 +00:00
|
|
|
fsConfig := Filesystem{
|
|
|
|
Provider: u.FsConfig.Provider,
|
|
|
|
S3Config: vfs.S3FsConfig{
|
2020-03-13 18:13:58 +00:00
|
|
|
Bucket: u.FsConfig.S3Config.Bucket,
|
|
|
|
Region: u.FsConfig.S3Config.Region,
|
|
|
|
AccessKey: u.FsConfig.S3Config.AccessKey,
|
|
|
|
AccessSecret: u.FsConfig.S3Config.AccessSecret,
|
|
|
|
Endpoint: u.FsConfig.S3Config.Endpoint,
|
|
|
|
StorageClass: u.FsConfig.S3Config.StorageClass,
|
|
|
|
KeyPrefix: u.FsConfig.S3Config.KeyPrefix,
|
|
|
|
UploadPartSize: u.FsConfig.S3Config.UploadPartSize,
|
|
|
|
UploadConcurrency: u.FsConfig.S3Config.UploadConcurrency,
|
2020-01-19 06:41:05 +00:00
|
|
|
},
|
2020-01-31 18:04:00 +00:00
|
|
|
GCSConfig: vfs.GCSFsConfig{
|
2020-02-19 08:41:15 +00:00
|
|
|
Bucket: u.FsConfig.GCSConfig.Bucket,
|
|
|
|
CredentialFile: u.FsConfig.GCSConfig.CredentialFile,
|
|
|
|
AutomaticCredentials: u.FsConfig.GCSConfig.AutomaticCredentials,
|
|
|
|
StorageClass: u.FsConfig.GCSConfig.StorageClass,
|
|
|
|
KeyPrefix: u.FsConfig.GCSConfig.KeyPrefix,
|
2020-01-31 18:04:00 +00:00
|
|
|
},
|
2020-01-19 06:41:05 +00:00
|
|
|
}
|
2019-12-30 17:37:50 +00:00
|
|
|
|
2019-10-25 16:37:12 +00:00
|
|
|
return User{
|
|
|
|
ID: u.ID,
|
|
|
|
Username: u.Username,
|
|
|
|
Password: u.Password,
|
|
|
|
PublicKeys: pubKeys,
|
|
|
|
HomeDir: u.HomeDir,
|
2020-02-23 10:30:26 +00:00
|
|
|
VirtualFolders: virtualFolders,
|
2019-10-25 16:37:12 +00:00
|
|
|
UID: u.UID,
|
|
|
|
GID: u.GID,
|
|
|
|
MaxSessions: u.MaxSessions,
|
|
|
|
QuotaSize: u.QuotaSize,
|
|
|
|
QuotaFiles: u.QuotaFiles,
|
|
|
|
Permissions: permissions,
|
|
|
|
UsedQuotaSize: u.UsedQuotaSize,
|
|
|
|
UsedQuotaFiles: u.UsedQuotaFiles,
|
|
|
|
LastQuotaUpdate: u.LastQuotaUpdate,
|
|
|
|
UploadBandwidth: u.UploadBandwidth,
|
|
|
|
DownloadBandwidth: u.DownloadBandwidth,
|
2019-11-13 10:36:21 +00:00
|
|
|
Status: u.Status,
|
|
|
|
ExpirationDate: u.ExpirationDate,
|
|
|
|
LastLogin: u.LastLogin,
|
2019-12-30 17:37:50 +00:00
|
|
|
Filters: filters,
|
2020-01-19 06:41:05 +00:00
|
|
|
FsConfig: fsConfig,
|
2019-10-25 16:37:12 +00:00
|
|
|
}
|
|
|
|
}
|
2019-11-14 10:06:03 +00:00
|
|
|
|
2020-01-09 11:00:37 +00:00
|
|
|
func (u *User) getNotificationFieldsAsSlice(action string) []string {
|
|
|
|
return []string{action, u.Username,
|
2019-11-14 10:06:03 +00:00
|
|
|
strconv.FormatInt(u.ID, 10),
|
|
|
|
strconv.FormatInt(int64(u.Status), 10),
|
2020-04-30 12:23:55 +00:00
|
|
|
strconv.FormatInt(u.ExpirationDate, 10),
|
2019-11-14 10:06:03 +00:00
|
|
|
u.HomeDir,
|
|
|
|
strconv.FormatInt(int64(u.UID), 10),
|
|
|
|
strconv.FormatInt(int64(u.GID), 10),
|
|
|
|
}
|
|
|
|
}
|
2020-01-09 11:00:37 +00:00
|
|
|
|
|
|
|
func (u *User) getNotificationFieldsAsEnvVars(action string) []string {
|
|
|
|
return []string{fmt.Sprintf("SFTPGO_USER_ACTION=%v", action),
|
|
|
|
fmt.Sprintf("SFTPGO_USER_USERNAME=%v", u.Username),
|
2020-02-05 21:17:03 +00:00
|
|
|
fmt.Sprintf("SFTPGO_USER_PASSWORD=%v", u.Password),
|
2020-01-09 11:00:37 +00:00
|
|
|
fmt.Sprintf("SFTPGO_USER_ID=%v", u.ID),
|
|
|
|
fmt.Sprintf("SFTPGO_USER_STATUS=%v", u.Status),
|
|
|
|
fmt.Sprintf("SFTPGO_USER_EXPIRATION_DATE=%v", u.ExpirationDate),
|
|
|
|
fmt.Sprintf("SFTPGO_USER_HOME_DIR=%v", u.HomeDir),
|
|
|
|
fmt.Sprintf("SFTPGO_USER_UID=%v", u.UID),
|
2020-02-05 21:17:03 +00:00
|
|
|
fmt.Sprintf("SFTPGO_USER_GID=%v", u.GID),
|
|
|
|
fmt.Sprintf("SFTPGO_USER_QUOTA_FILES=%v", u.QuotaFiles),
|
|
|
|
fmt.Sprintf("SFTPGO_USER_QUOTA_SIZE=%v", u.QuotaSize),
|
|
|
|
fmt.Sprintf("SFTPGO_USER_UPLOAD_BANDWIDTH=%v", u.UploadBandwidth),
|
|
|
|
fmt.Sprintf("SFTPGO_USER_DOWNLOAD_BANDWIDTH=%v", u.DownloadBandwidth),
|
|
|
|
fmt.Sprintf("SFTPGO_USER_MAX_SESSIONS=%v", u.MaxSessions),
|
|
|
|
fmt.Sprintf("SFTPGO_USER_FS_PROVIDER=%v", u.FsConfig.Provider)}
|
2020-01-09 11:00:37 +00:00
|
|
|
}
|
2020-01-31 18:04:00 +00:00
|
|
|
|
|
|
|
func (u *User) getGCSCredentialsFilePath() string {
|
|
|
|
return filepath.Join(credentialsDirPath, fmt.Sprintf("%v_gcs_credentials.json", u.Username))
|
|
|
|
}
|