diff --git a/config/config.go b/config/config.go index cca2dffd..44376ed3 100644 --- a/config/config.go +++ b/config/config.go @@ -296,7 +296,7 @@ func Init() { }, PasswordCaching: true, UpdateMode: 0, - PreferDatabaseCredentials: false, + PreferDatabaseCredentials: true, DelayedQuotaUpdate: 0, CreateDefaultAdmin: false, NamingRules: 0, diff --git a/docs/full-configuration.md b/docs/full-configuration.md index 48e73284..84ffd417 100644 --- a/docs/full-configuration.md +++ b/docs/full-configuration.md @@ -196,7 +196,7 @@ The configuration file contains the following sections: - `external_auth_hook`, string. Absolute path to an external program or an HTTP URL to invoke for users authentication. See [External Authentication](./external-auth.md) for more details. Leave empty to disable. - `external_auth_scope`, integer. 0 means all supported authentication scopes (passwords, public keys and keyboard interactive). 1 means passwords only. 2 means public keys only. 4 means key keyboard interactive only. 8 means TLS certificate. The flags can be combined, for example 6 means public keys and keyboard interactive - `credentials_path`, string. It defines the directory for storing user provided credential files such as Google Cloud Storage credentials. This can be an absolute path or a path relative to the config dir - - `prefer_database_credentials`, boolean. When `true`, users' Google Cloud Storage credentials will be written to the data provider instead of disk, though pre-existing credentials on disk will be used as a fallback. When `false`, they will be written to the directory specified by `credentials_path`. + - `prefer_database_credentials`, boolean. When `true`, users' Google Cloud Storage credentials will be written to the data provider instead of disk, though pre-existing credentials on disk will be used as a fallback. When `false`, they will be written to the directory specified by `credentials_path`. :warning: Deprecation warning: this setting is deprecated and it will be removed in future versions, we'll use `true` as default and will remove `prefer_database_credentials` and `credentials_path`. - `pre_login_hook`, string. Absolute path to an external program or an HTTP URL to invoke to modify user details just before the login. See [Dynamic user modification](./dynamic-user-mod.md) for more details. Leave empty to disable. - `post_login_hook`, string. Absolute path to an external program or an HTTP URL to invoke to notify a successful or failed login. See [Post-login hook](./post-login-hook.md) for more details. Leave empty to disable. - `post_login_scope`, defines the scope for the post-login hook. 0 means notify both failed and successful logins. 1 means notify failed logins. 2 means notify successful logins. diff --git a/ftpd/ftpd_test.go b/ftpd/ftpd_test.go index 72b2c0ee..dab9b489 100644 --- a/ftpd/ftpd_test.go +++ b/ftpd/ftpd_test.go @@ -1830,6 +1830,15 @@ func TestLoginWithDatabaseCredentials(t *testing.T) { } func TestLoginInvalidFs(t *testing.T) { + err := dataprovider.Close() + assert.NoError(t, err) + err = config.LoadConfig(configDir, "") + assert.NoError(t, err) + providerConf := config.GetProviderConf() + providerConf.PreferDatabaseCredentials = false + err = dataprovider.Initialize(providerConf, configDir, true) + assert.NoError(t, err) + u := getTestUser() u.FsConfig.Provider = sdk.GCSFilesystemProvider u.FsConfig.GCSConfig.Bucket = "test" @@ -1837,7 +1846,7 @@ func TestLoginInvalidFs(t *testing.T) { user, _, err := httpdtest.AddUser(u, http.StatusCreated) assert.NoError(t, err) - providerConf := config.GetProviderConf() + providerConf = config.GetProviderConf() credentialsFile := filepath.Join(providerConf.CredentialsPath, fmt.Sprintf("%v_gcs_credentials.json", u.Username)) if !filepath.IsAbs(credentialsFile) { credentialsFile = filepath.Join(configDir, credentialsFile) @@ -1856,6 +1865,14 @@ func TestLoginInvalidFs(t *testing.T) { assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) + + err = dataprovider.Close() + assert.NoError(t, err) + err = config.LoadConfig(configDir, "") + assert.NoError(t, err) + providerConf = config.GetProviderConf() + err = dataprovider.Initialize(providerConf, configDir, true) + assert.NoError(t, err) } func TestClientClose(t *testing.T) { diff --git a/httpd/httpd_test.go b/httpd/httpd_test.go index ded1953a..2bbc164b 100644 --- a/httpd/httpd_test.go +++ b/httpd/httpd_test.go @@ -2788,6 +2788,16 @@ func TestUserS3Config(t *testing.T) { } func TestUserGCSConfig(t *testing.T) { + err := dataprovider.Close() + assert.NoError(t, err) + err = config.LoadConfig(configDir, "") + assert.NoError(t, err) + providerConf := config.GetProviderConf() + providerConf.PreferDatabaseCredentials = false + providerConf.CredentialsPath = credentialsPath + err = dataprovider.Initialize(providerConf, configDir, true) + assert.NoError(t, err) + user, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated) assert.NoError(t, err) err = os.RemoveAll(credentialsPath) @@ -2860,6 +2870,18 @@ func TestUserGCSConfig(t *testing.T) { _, err = httpdtest.RemoveUser(user, http.StatusOK) assert.NoError(t, err) + + err = dataprovider.Close() + assert.NoError(t, err) + err = config.LoadConfig(configDir, "") + assert.NoError(t, err) + providerConf = config.GetProviderConf() + providerConf.BackupsPath = backupsPath + providerConf.CredentialsPath = credentialsPath + err = os.RemoveAll(credentialsPath) + assert.NoError(t, err) + err = dataprovider.Initialize(providerConf, configDir, true) + assert.NoError(t, err) } func TestUserAzureBlobConfig(t *testing.T) { @@ -8954,6 +8976,16 @@ func TestSFTPLoopError(t *testing.T) { } func TestLoginInvalidFs(t *testing.T) { + err := dataprovider.Close() + assert.NoError(t, err) + err = config.LoadConfig(configDir, "") + assert.NoError(t, err) + providerConf := config.GetProviderConf() + providerConf.PreferDatabaseCredentials = false + providerConf.CredentialsPath = credentialsPath + err = dataprovider.Initialize(providerConf, configDir, true) + assert.NoError(t, err) + u := getTestUser() u.Filters.AllowAPIKeyAuth = true u.FsConfig.Provider = sdk.GCSFilesystemProvider @@ -8993,6 +9025,18 @@ func TestLoginInvalidFs(t *testing.T) { assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) + + err = dataprovider.Close() + assert.NoError(t, err) + err = config.LoadConfig(configDir, "") + assert.NoError(t, err) + providerConf = config.GetProviderConf() + providerConf.BackupsPath = backupsPath + providerConf.CredentialsPath = credentialsPath + err = os.RemoveAll(credentialsPath) + assert.NoError(t, err) + err = dataprovider.Initialize(providerConf, configDir, true) + assert.NoError(t, err) } func TestWebClientChangePwd(t *testing.T) { diff --git a/sftpd/sftpd_test.go b/sftpd/sftpd_test.go index 5aa1adda..bc69ff99 100644 --- a/sftpd/sftpd_test.go +++ b/sftpd/sftpd_test.go @@ -2144,6 +2144,15 @@ func TestLoginWithDatabaseCredentials(t *testing.T) { } func TestLoginInvalidFs(t *testing.T) { + err := dataprovider.Close() + assert.NoError(t, err) + err = config.LoadConfig(configDir, "") + assert.NoError(t, err) + providerConf := config.GetProviderConf() + providerConf.PreferDatabaseCredentials = false + err = dataprovider.Initialize(providerConf, configDir, true) + assert.NoError(t, err) + usePubKey := true u := getTestUser(usePubKey) u.FsConfig.Provider = sdk.GCSFilesystemProvider @@ -2152,7 +2161,7 @@ func TestLoginInvalidFs(t *testing.T) { user, _, err := httpdtest.AddUser(u, http.StatusCreated) assert.NoError(t, err) - providerConf := config.GetProviderConf() + providerConf = config.GetProviderConf() credentialsFile := filepath.Join(providerConf.CredentialsPath, fmt.Sprintf("%v_gcs_credentials.json", u.Username)) if !filepath.IsAbs(credentialsFile) { credentialsFile = filepath.Join(configDir, credentialsFile) @@ -2172,6 +2181,14 @@ func TestLoginInvalidFs(t *testing.T) { assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) + + err = dataprovider.Close() + assert.NoError(t, err) + err = config.LoadConfig(configDir, "") + assert.NoError(t, err) + providerConf = config.GetProviderConf() + err = dataprovider.Initialize(providerConf, configDir, true) + assert.NoError(t, err) } func TestDeniedProtocols(t *testing.T) { diff --git a/sftpgo.json b/sftpgo.json index 2c4276f4..77173121 100644 --- a/sftpgo.json +++ b/sftpgo.json @@ -174,7 +174,7 @@ "external_auth_hook": "", "external_auth_scope": 0, "credentials_path": "credentials", - "prefer_database_credentials": false, + "prefer_database_credentials": true, "pre_login_hook": "", "post_login_hook": "", "post_login_scope": 0, diff --git a/webdavd/webdavd_test.go b/webdavd/webdavd_test.go index 75c3864d..8eee2ae7 100644 --- a/webdavd/webdavd_test.go +++ b/webdavd/webdavd_test.go @@ -1746,6 +1746,15 @@ func TestLoginWithDatabaseCredentials(t *testing.T) { } func TestLoginInvalidFs(t *testing.T) { + err := dataprovider.Close() + assert.NoError(t, err) + err = config.LoadConfig(configDir, "") + assert.NoError(t, err) + providerConf := config.GetProviderConf() + providerConf.PreferDatabaseCredentials = false + err = dataprovider.Initialize(providerConf, configDir, true) + assert.NoError(t, err) + u := getTestUser() u.FsConfig.Provider = sdk.GCSFilesystemProvider u.FsConfig.GCSConfig.Bucket = "test" @@ -1753,7 +1762,7 @@ func TestLoginInvalidFs(t *testing.T) { user, _, err := httpdtest.AddUser(u, http.StatusCreated) assert.NoError(t, err) - providerConf := config.GetProviderConf() + providerConf = config.GetProviderConf() credentialsFile := filepath.Join(providerConf.CredentialsPath, fmt.Sprintf("%v_gcs_credentials.json", u.Username)) if !filepath.IsAbs(credentialsFile) { credentialsFile = filepath.Join(configDir, credentialsFile) @@ -1770,6 +1779,14 @@ func TestLoginInvalidFs(t *testing.T) { assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) + + err = dataprovider.Close() + assert.NoError(t, err) + err = config.LoadConfig(configDir, "") + assert.NoError(t, err) + providerConf = config.GetProviderConf() + err = dataprovider.Initialize(providerConf, configDir, true) + assert.NoError(t, err) } func TestSFTPBuffered(t *testing.T) {