mirror of
https://github.com/drakkan/sftpgo.git
synced 2024-11-25 00:50:31 +00:00
validate API key scope
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
parent
991739d47a
commit
e8df1b6e4c
2 changed files with 23 additions and 0 deletions
|
@ -14965,6 +14965,13 @@ func TestUserAPIKey(t *testing.T) {
|
|||
apiKey, _, err = httpdtest.AddAPIKey(apiKey, http.StatusCreated)
|
||||
assert.NoError(t, err)
|
||||
|
||||
adminAPIKey := dataprovider.APIKey{
|
||||
Name: "testadminkey",
|
||||
Scope: dataprovider.APIKeyScopeAdmin,
|
||||
}
|
||||
adminAPIKey, _, err = httpdtest.AddAPIKey(adminAPIKey, http.StatusCreated)
|
||||
assert.NoError(t, err)
|
||||
|
||||
body := new(bytes.Buffer)
|
||||
writer := multipart.NewWriter(body)
|
||||
part, err := writer.CreateFormFile("filenames", "filenametest")
|
||||
|
@ -14993,6 +15000,12 @@ func TestUserAPIKey(t *testing.T) {
|
|||
assert.NoError(t, err)
|
||||
assert.Len(t, dirEntries, 1)
|
||||
|
||||
req, err = http.NewRequest(http.MethodGet, userDirsPath, nil)
|
||||
assert.NoError(t, err)
|
||||
setAPIKeyForReq(req, adminAPIKey.Key, user.Username)
|
||||
rr = executeRequest(req)
|
||||
checkResponseCode(t, http.StatusForbidden, rr)
|
||||
|
||||
user.Status = 0
|
||||
user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "")
|
||||
assert.NoError(t, err)
|
||||
|
@ -15069,6 +15082,9 @@ func TestUserAPIKey(t *testing.T) {
|
|||
|
||||
_, err = httpdtest.RemoveAPIKey(apiKeyNew, http.StatusOK)
|
||||
assert.NoError(t, err)
|
||||
|
||||
_, err = httpdtest.RemoveAPIKey(adminAPIKey, http.StatusOK)
|
||||
assert.NoError(t, err)
|
||||
}
|
||||
|
||||
func TestWebClientViewPDF(t *testing.T) {
|
||||
|
|
|
@ -384,6 +384,13 @@ func checkAPIKeyAuth(tokenAuth *jwtauth.JWTAuth, scope dataprovider.APIKeyScope)
|
|||
sendAPIResponse(w, r, errors.New("the provided api key is not valid"), "", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
if k.Scope != scope {
|
||||
handleDefenderEventLoginFailed(util.GetIPFromRemoteAddress(r.RemoteAddr), dataprovider.ErrInvalidCredentials) //nolint:errcheck
|
||||
logger.Debug(logSender, "", "unable to authenticate api key %q: invalid scope: got %d, wnated: %d",
|
||||
apiKey, k.Scope, scope)
|
||||
sendAPIResponse(w, r, fmt.Errorf("the provided api key is invalid for this request"), "", http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
if err := k.Authenticate(key); err != nil {
|
||||
handleDefenderEventLoginFailed(util.GetIPFromRemoteAddress(r.RemoteAddr), dataprovider.ErrInvalidCredentials) //nolint:errcheck
|
||||
logger.Debug(logSender, "", "unable to authenticate api key %q: %v", apiKey, err)
|
||||
|
|
Loading…
Reference in a new issue