beenull/sftpgo-mirror
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2024-11-21 15:10:23 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6
sftpgo-mirror/internal/dataprovider/dataprovider.go
Nicola Murino eba4c93efd
user: add additional emails 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
2024-10-11 19:20:51 +02:00

4686 lines
161 KiB
Go
Raw Permalink Blame History

// Copyright (C) 2019 Nicola Murino
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published
// by the Free Software Foundation, version 3.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
// Package dataprovider provides data access.
// It abstracts different data providers using a common API.
package dataprovider
import (
"bufio"
"bytes"
"context"
"crypto/md5"
"crypto/rsa"
"crypto/sha1"
"crypto/sha256"
"crypto/sha512"
"crypto/subtle"
"crypto/x509"
"encoding/base64"
"encoding/hex"
"encoding/json"
"encoding/pem"
"errors"
"fmt"
"hash"
"io"
"net"
"net/http"
"net/url"
"os"
"os/exec"
"path"
"path/filepath"
"regexp"
"runtime"
"slices"
"strconv"
"strings"
"sync"
"sync/atomic"
"time"
"github.com/GehirnInc/crypt"
"github.com/GehirnInc/crypt/apr1_crypt"
"github.com/GehirnInc/crypt/md5_crypt"
"github.com/GehirnInc/crypt/sha256_crypt"
"github.com/GehirnInc/crypt/sha512_crypt"
"github.com/alexedwards/argon2id"
"github.com/go-chi/render"
"github.com/rs/xid"
"github.com/sftpgo/sdk"
passwordvalidator "github.com/wagslane/go-password-validator"
"golang.org/x/crypto/bcrypt"
"golang.org/x/crypto/pbkdf2"
"golang.org/x/crypto/ssh"
"github.com/drakkan/sftpgo/v2/internal/command"
"github.com/drakkan/sftpgo/v2/internal/httpclient"
"github.com/drakkan/sftpgo/v2/internal/kms"
"github.com/drakkan/sftpgo/v2/internal/logger"
"github.com/drakkan/sftpgo/v2/internal/mfa"
"github.com/drakkan/sftpgo/v2/internal/plugin"
"github.com/drakkan/sftpgo/v2/internal/util"
"github.com/drakkan/sftpgo/v2/internal/vfs"
)
const (
// SQLiteDataProviderName defines the name for SQLite database provider
SQLiteDataProviderName = "sqlite"
// PGSQLDataProviderName defines the name for PostgreSQL database provider
PGSQLDataProviderName = "postgresql"
// MySQLDataProviderName defines the name for MySQL database provider
MySQLDataProviderName = "mysql"
// BoltDataProviderName defines the name for bbolt key/value store provider
BoltDataProviderName = "bolt"
// MemoryDataProviderName defines the name for memory provider
MemoryDataProviderName = "memory"
// CockroachDataProviderName defines the for CockroachDB provider
CockroachDataProviderName = "cockroachdb"
// DumpVersion defines the version for the dump.
// For restore/load we support the current version and the previous one
DumpVersion = 16
argonPwdPrefix = "$argon2id$"
bcryptPwdPrefix = "$2a$"
pbkdf2SHA1Prefix = "$pbkdf2-sha1$"
pbkdf2SHA256Prefix = "$pbkdf2-sha256$"
pbkdf2SHA512Prefix = "$pbkdf2-sha512$"
pbkdf2SHA256B64SaltPrefix = "$pbkdf2-b64salt-sha256$"
md5cryptPwdPrefix = "$1$"
md5cryptApr1PwdPrefix = "$apr1$"
sha256cryptPwdPrefix = "$5$"
sha512cryptPwdPrefix = "$6$"
yescryptPwdPrefix = "$y$"
md5DigestPwdPrefix = "{MD5}"
sha256DigestPwdPrefix = "{SHA256}"
sha512DigestPwdPrefix = "{SHA512}"
trackQuotaDisabledError = "please enable track_quota in your configuration to use this method"
operationAdd = "add"
operationUpdate = "update"
operationDelete = "delete"
sqlPrefixValidChars = "abcdefghijklmnopqrstuvwxyz_0123456789"
maxHookResponseSize = 1048576 // 1MB
iso8601UTCFormat = "2006-01-02T15:04:05Z"
)
// Supported algorithms for hashing passwords.
// These algorithms can be used when SFTPGo hashes a plain text password
const (
HashingAlgoBcrypt = "bcrypt"
HashingAlgoArgon2ID = "argon2id"
)
// ordering constants
const (
OrderASC = "ASC"
OrderDESC = "DESC"
)
const (
protocolSSH = "SSH"
protocolFTP = "FTP"
protocolWebDAV = "DAV"
protocolHTTP = "HTTP"
)
// Dump scopes
const (
DumpScopeUsers = "users"
DumpScopeFolders = "folders"
DumpScopeGroups = "groups"
DumpScopeAdmins = "admins"
DumpScopeAPIKeys = "api_keys"
DumpScopeShares = "shares"
DumpScopeActions = "actions"
DumpScopeRules = "rules"
DumpScopeRoles = "roles"
DumpScopeIPLists = "ip_lists"
DumpScopeConfigs = "configs"
)
const (
fieldUsername = 1
fieldName = 2
fieldIPNet = 3
)
var (
// SupportedProviders defines the supported data providers
SupportedProviders = []string{SQLiteDataProviderName, PGSQLDataProviderName, MySQLDataProviderName,
BoltDataProviderName, MemoryDataProviderName, CockroachDataProviderName}
// ValidPerms defines all the valid permissions for a user
ValidPerms = []string{PermAny, PermListItems, PermDownload, PermUpload, PermOverwrite, PermCreateDirs, PermRename,
PermRenameFiles, PermRenameDirs, PermDelete, PermDeleteFiles, PermDeleteDirs, PermCopy, PermCreateSymlinks,
PermChmod, PermChown, PermChtimes}
// ValidLoginMethods defines all the valid login methods
ValidLoginMethods = []string{SSHLoginMethodPublicKey, LoginMethodPassword, SSHLoginMethodPassword,
SSHLoginMethodKeyboardInteractive, SSHLoginMethodKeyAndPassword, SSHLoginMethodKeyAndKeyboardInt,
LoginMethodTLSCertificate, LoginMethodTLSCertificateAndPwd}
// SSHMultiStepsLoginMethods defines the supported Multi-Step Authentications
SSHMultiStepsLoginMethods = []string{SSHLoginMethodKeyAndPassword, SSHLoginMethodKeyAndKeyboardInt}
// ErrNoAuthTried defines the error for connection closed before authentication
ErrNoAuthTried = errors.New("no auth tried")
// ErrNotImplemented defines the error for features not supported for a particular data provider
ErrNotImplemented = errors.New("feature not supported with the configured data provider")
// ValidProtocols defines all the valid protcols
ValidProtocols = []string{protocolSSH, protocolFTP, protocolWebDAV, protocolHTTP}
// MFAProtocols defines the supported protocols for multi-factor authentication
MFAProtocols = []string{protocolHTTP, protocolSSH, protocolFTP}
// ErrNoInitRequired defines the error returned by InitProvider if no inizialization/update is required
ErrNoInitRequired = errors.New("the data provider is up to date")
// ErrInvalidCredentials defines the error to return if the supplied credentials are invalid
ErrInvalidCredentials = errors.New("invalid credentials")
// ErrLoginNotAllowedFromIP defines the error to return if login is denied from the current IP
ErrLoginNotAllowedFromIP = errors.New("login is not allowed from this IP")
// ErrDuplicatedKey occurs when there is a unique key constraint violation
ErrDuplicatedKey = errors.New("duplicated key not allowed")
// ErrForeignKeyViolated occurs when there is a foreign key constraint violation
ErrForeignKeyViolated = errors.New("violates foreign key constraint")
tz = ""
isAdminCreated atomic.Bool
validTLSUsernames = []string{string(sdk.TLSUsernameNone), string(sdk.TLSUsernameCN)}
config Config
provider Provider
sqlPlaceholders []string
internalHashPwdPrefixes = []string{argonPwdPrefix, bcryptPwdPrefix}
hashPwdPrefixes = []string{argonPwdPrefix, bcryptPwdPrefix, pbkdf2SHA1Prefix, pbkdf2SHA256Prefix,
pbkdf2SHA512Prefix, pbkdf2SHA256B64SaltPrefix, md5cryptPwdPrefix, md5cryptApr1PwdPrefix, md5DigestPwdPrefix,
sha256DigestPwdPrefix, sha512DigestPwdPrefix, sha256cryptPwdPrefix, sha512cryptPwdPrefix, yescryptPwdPrefix}
pbkdfPwdPrefixes = []string{pbkdf2SHA1Prefix, pbkdf2SHA256Prefix, pbkdf2SHA512Prefix, pbkdf2SHA256B64SaltPrefix}
pbkdfPwdB64SaltPrefixes = []string{pbkdf2SHA256B64SaltPrefix}
unixPwdPrefixes = []string{md5cryptPwdPrefix, md5cryptApr1PwdPrefix, sha256cryptPwdPrefix, sha512cryptPwdPrefix,
yescryptPwdPrefix}
digestPwdPrefixes = []string{md5DigestPwdPrefix, sha256DigestPwdPrefix, sha512DigestPwdPrefix}
sharedProviders = []string{PGSQLDataProviderName, MySQLDataProviderName, CockroachDataProviderName}
logSender = "dataprovider"
sqlTableUsers string
sqlTableFolders string
sqlTableUsersFoldersMapping string
sqlTableAdmins string
sqlTableAPIKeys string
sqlTableShares string
sqlTableDefenderHosts string
sqlTableDefenderEvents string
sqlTableActiveTransfers string
sqlTableGroups string
sqlTableUsersGroupsMapping string
sqlTableAdminsGroupsMapping string
sqlTableGroupsFoldersMapping string
sqlTableSharedSessions string
sqlTableEventsActions string
sqlTableEventsRules string
sqlTableRulesActionsMapping string
sqlTableTasks string
sqlTableNodes string
sqlTableRoles string
sqlTableIPLists string
sqlTableConfigs string
sqlTableSchemaVersion string
argon2Params *argon2id.Params
lastLoginMinDelay = 10 * time.Minute
usernameRegex = regexp.MustCompile("^[a-zA-Z0-9-_.~]+$")
tempPath string
allowSelfConnections int
fnReloadRules FnReloadRules
fnRemoveRule FnRemoveRule
fnHandleRuleForProviderEvent FnHandleRuleForProviderEvent
)
func initSQLTables() {
sqlTableUsers = "users"
sqlTableFolders = "folders"
sqlTableUsersFoldersMapping = "users_folders_mapping"
sqlTableAdmins = "admins"
sqlTableAPIKeys = "api_keys"
sqlTableShares = "shares"
sqlTableDefenderHosts = "defender_hosts"
sqlTableDefenderEvents = "defender_events"
sqlTableActiveTransfers = "active_transfers"
sqlTableGroups = "groups"
sqlTableUsersGroupsMapping = "users_groups_mapping"
sqlTableGroupsFoldersMapping = "groups_folders_mapping"
sqlTableAdminsGroupsMapping = "admins_groups_mapping"
sqlTableSharedSessions = "shared_sessions"
sqlTableEventsActions = "events_actions"
sqlTableEventsRules = "events_rules"
sqlTableRulesActionsMapping = "rules_actions_mapping"
sqlTableTasks = "tasks"
sqlTableNodes = "nodes"
sqlTableRoles = "roles"
sqlTableIPLists = "ip_lists"
sqlTableConfigs = "configurations"
sqlTableSchemaVersion = "schema_version"
}
// FnReloadRules defined the callback to reload event rules
type FnReloadRules func()
// FnRemoveRule defines the callback to remove an event rule
type FnRemoveRule func(name string)
// FnHandleRuleForProviderEvent define the callback to handle event rules for provider events
type FnHandleRuleForProviderEvent func(operation, executor, ip, objectType, objectName, role string, object plugin.Renderer)
// SetEventRulesCallbacks sets the event rules callbacks
func SetEventRulesCallbacks(reload FnReloadRules, remove FnRemoveRule, handle FnHandleRuleForProviderEvent) {
fnReloadRules = reload
fnRemoveRule = remove
fnHandleRuleForProviderEvent = handle
}
type schemaVersion struct {
Version int
}
// BcryptOptions defines the options for bcrypt password hashing
type BcryptOptions struct {
Cost int `json:"cost" mapstructure:"cost"`
}
// Argon2Options defines the options for argon2 password hashing
type Argon2Options struct {
Memory uint32 `json:"memory" mapstructure:"memory"`
Iterations uint32 `json:"iterations" mapstructure:"iterations"`
Parallelism uint8 `json:"parallelism" mapstructure:"parallelism"`
}
// PasswordHashing defines the configuration for password hashing
type PasswordHashing struct {
BcryptOptions BcryptOptions `json:"bcrypt_options" mapstructure:"bcrypt_options"`
Argon2Options Argon2Options `json:"argon2_options" mapstructure:"argon2_options"`
// Algorithm to use for hashing passwords. Available algorithms: argon2id, bcrypt. Default: bcrypt
Algo string `json:"algo" mapstructure:"algo"`
}
// PasswordValidationRules defines the password validation rules
type PasswordValidationRules struct {
// MinEntropy defines the minimum password entropy.
// 0 means disabled, any password will be accepted.
// Take a look at the following link for more details
// https://github.com/wagslane/go-password-validator#what-entropy-value-should-i-use
MinEntropy float64 `json:"min_entropy" mapstructure:"min_entropy"`
}
// PasswordValidation defines the password validation rules for admins and protocol users
type PasswordValidation struct {
// Password validation rules for SFTPGo admin users
Admins PasswordValidationRules `json:"admins" mapstructure:"admins"`
// Password validation rules for SFTPGo protocol users
Users PasswordValidationRules `json:"users" mapstructure:"users"`
}
type wrappedFolder struct {
Folder vfs.BaseVirtualFolder
}
func (w *wrappedFolder) RenderAsJSON(reload bool) ([]byte, error) {
if reload {
folder, err := provider.getFolderByName(w.Folder.Name)
if err != nil {
providerLog(logger.LevelError, "unable to reload folder before rendering as json: %v", err)
return nil, err
}
folder.PrepareForRendering()
return json.Marshal(folder)
}
w.Folder.PrepareForRendering()
return json.Marshal(w.Folder)
}
// ObjectsActions defines the action to execute on user create, update, delete for the specified objects
type ObjectsActions struct {
// Valid values are add, update, delete. Empty slice to disable
ExecuteOn []string `json:"execute_on" mapstructure:"execute_on"`
// Valid values are user, admin, api_key
ExecuteFor []string `json:"execute_for" mapstructure:"execute_for"`
// Absolute path to an external program or an HTTP URL
Hook string `json:"hook" mapstructure:"hook"`
}
// ProviderStatus defines the provider status
type ProviderStatus struct {
Driver string `json:"driver"`
IsActive bool `json:"is_active"`
Error string `json:"error"`
}
// Config defines the provider configuration
type Config struct {
// Driver name, must be one of the SupportedProviders
Driver string `json:"driver" mapstructure:"driver"`
// Database name. For driver sqlite this can be the database name relative to the config dir
// or the absolute path to the SQLite database.
Name string `json:"name" mapstructure:"name"`
// Database host. For postgresql and cockroachdb driver you can specify multiple hosts separated by commas
Host string `json:"host" mapstructure:"host"`
// Database port
Port int `json:"port" mapstructure:"port"`
// Database username
Username string `json:"username" mapstructure:"username"`
// Database password
Password string `json:"password" mapstructure:"password"`
// Used for drivers mysql and postgresql.
// 0 disable SSL/TLS connections.
// 1 require ssl.
// 2 set ssl mode to verify-ca for driver postgresql and skip-verify for driver mysql.
// 3 set ssl mode to verify-full for driver postgresql and preferred for driver mysql.
SSLMode int `json:"sslmode" mapstructure:"sslmode"`
// Used for drivers mysql, postgresql and cockroachdb. Set to true to disable SNI
DisableSNI bool `json:"disable_sni" mapstructure:"disable_sni"`
// TargetSessionAttrs is a postgresql and cockroachdb specific option.
// It determines whether the session must have certain properties to be acceptable.
// It's typically used in combination with multiple host names to select the first
// acceptable alternative among several hosts
TargetSessionAttrs string `json:"target_session_attrs" mapstructure:"target_session_attrs"`
// Path to the root certificate authority used to verify that the server certificate was signed by a trusted CA
RootCert string `json:"root_cert" mapstructure:"root_cert"`
// Path to the client certificate for two-way TLS authentication
ClientCert string `json:"client_cert" mapstructure:"client_cert"`
// Path to the client key for two-way TLS authentication
ClientKey string `json:"client_key" mapstructure:"client_key"`
// Custom database connection string.
// If not empty this connection string will be used instead of build one using the previous parameters
ConnectionString string `json:"connection_string" mapstructure:"connection_string"`
// prefix for SQL tables
SQLTablesPrefix string `json:"sql_tables_prefix" mapstructure:"sql_tables_prefix"`
// Set the preferred way to track users quota between the following choices:
// 0, disable quota tracking. REST API to scan user dir and update quota will do nothing
// 1, quota is updated each time a user upload or delete a file even if the user has no quota restrictions
// 2, quota is updated each time a user upload or delete a file but only for users with quota restrictions
// and for virtual folders.
// With this configuration the "quota scan" REST API can still be used to periodically update space usage
// for users without quota restrictions
TrackQuota int `json:"track_quota" mapstructure:"track_quota"`
// Sets the maximum number of open connections for mysql and postgresql driver.
// Default 0 (unlimited)
PoolSize int `json:"pool_size" mapstructure:"pool_size"`
// Users default base directory.
// If no home dir is defined while adding a new user, and this value is
// a valid absolute path, then the user home dir will be automatically
// defined as the path obtained joining the base dir and the username
UsersBaseDir string `json:"users_base_dir" mapstructure:"users_base_dir"`
// Actions to execute on objects add, update, delete.
// The supported objects are user, admin, api_key.
// Update action will not be fired for internal updates such as the last login or the user quota fields.
Actions ObjectsActions `json:"actions" mapstructure:"actions"`
// Absolute path to an external program or an HTTP URL to invoke for users authentication.
// Leave empty to use builtin authentication.
// If the authentication succeed the user will be automatically added/updated inside the defined data provider.
// Actions defined for user added/updated will not be executed in this case.
// This method is slower than built-in authentication methods, but it's very flexible as anyone can
// easily write his own authentication hooks.
ExternalAuthHook string `json:"external_auth_hook" mapstructure:"external_auth_hook"`
// ExternalAuthScope defines the scope for the external authentication hook.
// - 0 means all supported authentication scopes, the external hook will be executed for password,
// public key, keyboard interactive authentication and TLS certificates
// - 1 means passwords only
// - 2 means public keys only
// - 4 means keyboard interactive only
// - 8 means TLS certificates only
// you can combine the scopes, for example 3 means password and public key, 5 password and keyboard
// interactive and so on
ExternalAuthScope int `json:"external_auth_scope" mapstructure:"external_auth_scope"`
// Absolute path to an external program or an HTTP URL to invoke just before the user login.
// This program/URL allows to modify or create the user trying to login.
// It is useful if you have users with dynamic fields to update just before the login.
// Please note that if you want to create a new user, the pre-login hook response must
// include all the mandatory user fields.
//
// The pre-login hook must finish within 30 seconds.
//
// If an error happens while executing the "PreLoginHook" then login will be denied.
// PreLoginHook and ExternalAuthHook are mutally exclusive.
// Leave empty to disable.
PreLoginHook string `json:"pre_login_hook" mapstructure:"pre_login_hook"`
// Absolute path to an external program or an HTTP URL to invoke after the user login.
// Based on the configured scope you can choose if notify failed or successful logins
// or both
PostLoginHook string `json:"post_login_hook" mapstructure:"post_login_hook"`
// PostLoginScope defines the scope for the post-login hook.
// - 0 means notify both failed and successful logins
// - 1 means notify failed logins
// - 2 means notify successful logins
PostLoginScope int `json:"post_login_scope" mapstructure:"post_login_scope"`
// Absolute path to an external program or an HTTP URL to invoke just before password
// authentication. This hook allows you to externally check the provided password,
// its main use case is to allow to easily support things like password+OTP for protocols
// without keyboard interactive support such as FTP and WebDAV. You can ask your users
// to login using a string consisting of a fixed password and a One Time Token, you
// can verify the token inside the hook and ask to SFTPGo to verify the fixed part.
CheckPasswordHook string `json:"check_password_hook" mapstructure:"check_password_hook"`
// CheckPasswordScope defines the scope for the check password hook.
// - 0 means all protocols
// - 1 means SSH
// - 2 means FTP
// - 4 means WebDAV
// you can combine the scopes, for example 6 means FTP and WebDAV
CheckPasswordScope int `json:"check_password_scope" mapstructure:"check_password_scope"`
// Defines how the database will be initialized/updated:
// - 0 means automatically
// - 1 means manually using the initprovider sub-command
UpdateMode int `json:"update_mode" mapstructure:"update_mode"`
// PasswordHashing defines the configuration for password hashing
PasswordHashing PasswordHashing `json:"password_hashing" mapstructure:"password_hashing"`
// PasswordValidation defines the password validation rules
PasswordValidation PasswordValidation `json:"password_validation" mapstructure:"password_validation"`
// Verifying argon2 passwords has a high memory and computational cost,
// by enabling, in memory, password caching you reduce this cost.
PasswordCaching bool `json:"password_caching" mapstructure:"password_caching"`
// DelayedQuotaUpdate defines the number of seconds to accumulate quota updates.
// If there are a lot of close uploads, accumulating quota updates can save you many
// queries to the data provider.
// If you want to track quotas, a scheduled quota update is recommended in any case, the stored
// quota size may be incorrect for several reasons, such as an unexpected shutdown, temporary provider
// failures, file copied outside of SFTPGo, and so on.
// 0 means immediate quota update.
DelayedQuotaUpdate int `json:"delayed_quota_update" mapstructure:"delayed_quota_update"`
// If enabled, a default admin user with username "admin" and password "password" will be created
// on first start.
// You can also create the first admin user by using the web interface or by loading initial data.
CreateDefaultAdmin bool `json:"create_default_admin" mapstructure:"create_default_admin"`
// Rules for usernames and folder names:
// - 0 means no rules
// - 1 means you can use any UTF-8 character. The names are used in URIs for REST API and Web admin.
// By default only unreserved URI characters are allowed: ALPHA / DIGIT / "-" / "." / "_" / "~".
// - 2 means names are converted to lowercase before saving/matching and so case
// insensitive matching is possible
// - 4 means trimming trailing and leading white spaces before saving/matching
// Rules can be combined, for example 3 means both converting to lowercase and allowing any UTF-8 character.
// Enabling these options for existing installations could be backward incompatible, some users
// could be unable to login, for example existing users with mixed cases in their usernames.
// You have to ensure that all existing users respect the defined rules.
NamingRules int `json:"naming_rules" mapstructure:"naming_rules"`
// If the data provider is shared across multiple SFTPGo instances, set this parameter to 1.
// MySQL, PostgreSQL and CockroachDB can be shared, this setting is ignored for other data
// providers. For shared data providers, SFTPGo periodically reloads the latest updated users,
// based on the "updated_at" field, and updates its internal caches if users are updated from
// a different instance. This check, if enabled, is executed every 10 minutes.
// For shared data providers, active transfers are persisted in the database and thus
// quota checks between ongoing transfers will work cross multiple instances
IsShared int `json:"is_shared" mapstructure:"is_shared"`
// Node defines the configuration for this cluster node.
// Ignored if the provider is not shared/shareable
Node NodeConfig `json:"node" mapstructure:"node"`
// Path to the backup directory. This can be an absolute path or a path relative to the config dir
BackupsPath string `json:"backups_path" mapstructure:"backups_path"`
}
// GetShared returns the provider share mode.
// This method is called before the provider is initialized
func (c *Config) GetShared() int {
if !slices.Contains(sharedProviders, c.Driver) {
return 0
}
return c.IsShared
}
func (c *Config) convertName(name string) string {
if c.NamingRules <= 1 {
return name
}
if c.NamingRules&2 != 0 {
name = strings.ToLower(name)
}
if c.NamingRules&4 != 0 {
name = strings.TrimSpace(name)
}
return name
}
// IsDefenderSupported returns true if the configured provider supports the defender
func (c *Config) IsDefenderSupported() bool {
switch c.Driver {
case MySQLDataProviderName, PGSQLDataProviderName, CockroachDataProviderName:
return true
default:
return false
}
}
func (c *Config) requireCustomTLSForMySQL() bool {
if config.DisableSNI {
return config.SSLMode != 0
}
if config.RootCert != "" && util.IsFileInputValid(config.RootCert) {
return config.SSLMode != 0
}
if config.ClientCert != "" && config.ClientKey != "" && util.IsFileInputValid(config.ClientCert) &&
util.IsFileInputValid(config.ClientKey) {
return config.SSLMode != 0
}
return false
}
func (c *Config) doBackup() (string, error) {
now := time.Now().UTC()
outputFile := filepath.Join(c.BackupsPath, fmt.Sprintf("backup_%s_%d.json", now.Weekday(), now.Hour()))
providerLog(logger.LevelDebug, "starting backup to file %q", outputFile)
err := os.MkdirAll(filepath.Dir(outputFile), 0700)
if err != nil {
providerLog(logger.LevelError, "unable to create backup dir %q: %v", outputFile, err)
return outputFile, fmt.Errorf("unable to create backup dir: %w", err)
}
backup, err := DumpData(nil)
if err != nil {
providerLog(logger.LevelError, "unable to execute backup: %v", err)
return outputFile, fmt.Errorf("unable to dump backup data: %w", err)
}
dump, err := json.Marshal(backup)
if err != nil {
providerLog(logger.LevelError, "unable to marshal backup as JSON: %v", err)
return outputFile, fmt.Errorf("unable to marshal backup data as JSON: %w", err)
}
err = os.WriteFile(outputFile, dump, 0600)
if err != nil {
providerLog(logger.LevelError, "unable to save backup: %v", err)
return outputFile, fmt.Errorf("unable to save backup: %w", err)
}
providerLog(logger.LevelDebug, "backup saved to %q", outputFile)
return outputFile, nil
}
// SetTZ sets the configured timezone.
func SetTZ(val string) {
tz = val
}
// UseLocalTime returns true if local time should be used instead of UTC.
func UseLocalTime() bool {
return tz == "local"
}
// ExecuteBackup executes a backup
func ExecuteBackup() (string, error) {
return config.doBackup()
}
// ConvertName converts the given name based on the configured rules
func ConvertName(name string) string {
return config.convertName(name)
}
// ActiveTransfer defines an active protocol transfer
type ActiveTransfer struct {
ID int64
Type int
ConnID string
Username string
FolderName string
IP string
TruncatedSize int64
CurrentULSize int64
CurrentDLSize int64
CreatedAt int64
UpdatedAt int64
}
// TransferQuota stores the allowed transfer quota fields
type TransferQuota struct {
ULSize int64
DLSize int64
TotalSize int64
AllowedULSize int64
AllowedDLSize int64
AllowedTotalSize int64
}
// HasSizeLimits returns true if any size limit is set
func (q *TransferQuota) HasSizeLimits() bool {
return q.AllowedDLSize > 0 || q.AllowedULSize > 0 || q.AllowedTotalSize > 0
}
// HasUploadSpace returns true if there is transfer upload space available
func (q *TransferQuota) HasUploadSpace() bool {
if q.TotalSize <= 0 && q.ULSize <= 0 {
return true
}
if q.TotalSize > 0 {
return q.AllowedTotalSize > 0
}
return q.AllowedULSize > 0
}
// HasDownloadSpace returns true if there is transfer download space available
func (q *TransferQuota) HasDownloadSpace() bool {
if q.TotalSize <= 0 && q.DLSize <= 0 {
return true
}
if q.TotalSize > 0 {
return q.AllowedTotalSize > 0
}
return q.AllowedDLSize > 0
}
// DefenderEntry defines a defender entry
type DefenderEntry struct {
ID int64 `json:"-"`
IP string `json:"ip"`
Score int `json:"score,omitempty"`
BanTime time.Time `json:"ban_time,omitempty"`
}
// GetID returns an unique ID for a defender entry
func (d *DefenderEntry) GetID() string {
return hex.EncodeToString([]byte(d.IP))
}
// GetBanTime returns the ban time for a defender entry as string
func (d *DefenderEntry) GetBanTime() string {
if d.BanTime.IsZero() {
return ""
}
return d.BanTime.UTC().Format(time.RFC3339)
}
// MarshalJSON returns the JSON encoding of a DefenderEntry.
func (d *DefenderEntry) MarshalJSON() ([]byte, error) {
return json.Marshal(&struct {
ID string `json:"id"`
IP string `json:"ip"`
Score int `json:"score,omitempty"`
BanTime string `json:"ban_time,omitempty"`
}{
ID: d.GetID(),
IP: d.IP,
Score: d.Score,
BanTime: d.GetBanTime(),
})
}
// BackupData defines the structure for the backup/restore files
type BackupData struct {
Users []User `json:"users"`
Groups []Group `json:"groups"`
Folders []vfs.BaseVirtualFolder `json:"folders"`
Admins []Admin `json:"admins"`
APIKeys []APIKey `json:"api_keys"`
Shares []Share `json:"shares"`
EventActions []BaseEventAction `json:"event_actions"`
EventRules []EventRule `json:"event_rules"`
Roles []Role `json:"roles"`
IPLists []IPListEntry `json:"ip_lists"`
Configs *Configs `json:"configs"`
Version int `json:"version"`
}
// HasFolder returns true if the folder with the given name is included
func (d *BackupData) HasFolder(name string) bool {
for _, folder := range d.Folders {
if folder.Name == name {
return true
}
}
return false
}
type checkPasswordRequest struct {
Username string `json:"username"`
IP string `json:"ip"`
Password string `json:"password"`
Protocol string `json:"protocol"`
}
type checkPasswordResponse struct {
// 0 KO, 1 OK, 2 partial success, -1 not executed
Status int `json:"status"`
// for status = 2 this is the password to check against the one stored
// inside the SFTPGo data provider
ToVerify string `json:"to_verify"`
}
// GetQuotaTracking returns the configured mode for user's quota tracking
func GetQuotaTracking() int {
return config.TrackQuota
}
// HasUsersBaseDir returns true if users base dir is set
func HasUsersBaseDir() bool {
return config.UsersBaseDir != ""
}
// Provider defines the interface that data providers must implement.
type Provider interface {
validateUserAndPass(username, password, ip, protocol string) (User, error)
validateUserAndPubKey(username string, pubKey []byte, isSSHCert bool) (User, string, error)
validateUserAndTLSCert(username, protocol string, tlsCert *x509.Certificate) (User, error)
updateQuota(username string, filesAdd int, sizeAdd int64, reset bool) error
updateTransferQuota(username string, uploadSize, downloadSize int64, reset bool) error
getUsedQuota(username string) (int, int64, int64, int64, error)
userExists(username, role string) (User, error)
addUser(user *User) error
updateUser(user *User) error
deleteUser(user User, softDelete bool) error
updateUserPassword(username, password string) error // used internally when converting passwords from other hash
getUsers(limit int, offset int, order, role string) ([]User, error)
dumpUsers() ([]User, error)
getRecentlyUpdatedUsers(after int64) ([]User, error)
getUsersForQuotaCheck(toFetch map[string]bool) ([]User, error)
updateLastLogin(username string) error
updateAdminLastLogin(username string) error
setUpdatedAt(username string)
getAdminSignature(username string) (string, error)
getUserSignature(username string) (string, error)
getFolders(limit, offset int, order string, minimal bool) ([]vfs.BaseVirtualFolder, error)
getFolderByName(name string) (vfs.BaseVirtualFolder, error)
addFolder(folder *vfs.BaseVirtualFolder) error
updateFolder(folder *vfs.BaseVirtualFolder) error
deleteFolder(folder vfs.BaseVirtualFolder) error
updateFolderQuota(name string, filesAdd int, sizeAdd int64, reset bool) error
getUsedFolderQuota(name string) (int, int64, error)
dumpFolders() ([]vfs.BaseVirtualFolder, error)
getGroups(limit, offset int, order string, minimal bool) ([]Group, error)
getGroupsWithNames(names []string) ([]Group, error)
getUsersInGroups(names []string) ([]string, error)
groupExists(name string) (Group, error)
addGroup(group *Group) error
updateGroup(group *Group) error
deleteGroup(group Group) error
dumpGroups() ([]Group, error)
adminExists(username string) (Admin, error)
addAdmin(admin *Admin) error
updateAdmin(admin *Admin) error
deleteAdmin(admin Admin) error
getAdmins(limit int, offset int, order string) ([]Admin, error)
dumpAdmins() ([]Admin, error)
validateAdminAndPass(username, password, ip string) (Admin, error)
apiKeyExists(keyID string) (APIKey, error)
addAPIKey(apiKey *APIKey) error
updateAPIKey(apiKey *APIKey) error
deleteAPIKey(apiKey APIKey) error
getAPIKeys(limit int, offset int, order string) ([]APIKey, error)
dumpAPIKeys() ([]APIKey, error)
updateAPIKeyLastUse(keyID string) error
shareExists(shareID, username string) (Share, error)
addShare(share *Share) error
updateShare(share *Share) error
deleteShare(share Share) error
getShares(limit int, offset int, order, username string) ([]Share, error)
dumpShares() ([]Share, error)
updateShareLastUse(shareID string, numTokens int) error
getDefenderHosts(from int64, limit int) ([]DefenderEntry, error)
getDefenderHostByIP(ip string, from int64) (DefenderEntry, error)
isDefenderHostBanned(ip string) (DefenderEntry, error)
updateDefenderBanTime(ip string, minutes int) error
deleteDefenderHost(ip string) error
addDefenderEvent(ip string, score int) error
setDefenderBanTime(ip string, banTime int64) error
cleanupDefender(from int64) error
addActiveTransfer(transfer ActiveTransfer) error
updateActiveTransferSizes(ulSize, dlSize, transferID int64, connectionID string) error
removeActiveTransfer(transferID int64, connectionID string) error
cleanupActiveTransfers(before time.Time) error
getActiveTransfers(from time.Time) ([]ActiveTransfer, error)
addSharedSession(session Session) error
deleteSharedSession(key string) error
getSharedSession(key string) (Session, error)
cleanupSharedSessions(sessionType SessionType, before int64) error
getEventActions(limit, offset int, order string, minimal bool) ([]BaseEventAction, error)
dumpEventActions() ([]BaseEventAction, error)
eventActionExists(name string) (BaseEventAction, error)
addEventAction(action *BaseEventAction) error
updateEventAction(action *BaseEventAction) error
deleteEventAction(action BaseEventAction) error
getEventRules(limit, offset int, order string) ([]EventRule, error)
dumpEventRules() ([]EventRule, error)
getRecentlyUpdatedRules(after int64) ([]EventRule, error)
eventRuleExists(name string) (EventRule, error)
addEventRule(rule *EventRule) error
updateEventRule(rule *EventRule) error
deleteEventRule(rule EventRule, softDelete bool) error
getTaskByName(name string) (Task, error)
addTask(name string) error
updateTask(name string, version int64) error
updateTaskTimestamp(name string) error
setFirstDownloadTimestamp(username string) error
setFirstUploadTimestamp(username string) error
addNode() error
getNodeByName(name string) (Node, error)
getNodes() ([]Node, error)
updateNodeTimestamp() error
cleanupNodes() error
roleExists(name string) (Role, error)
addRole(role *Role) error
updateRole(role *Role) error
deleteRole(role Role) error
getRoles(limit int, offset int, order string, minimal bool) ([]Role, error)
dumpRoles() ([]Role, error)
ipListEntryExists(ipOrNet string, listType IPListType) (IPListEntry, error)
addIPListEntry(entry *IPListEntry) error
updateIPListEntry(entry *IPListEntry) error
deleteIPListEntry(entry IPListEntry, softDelete bool) error
getIPListEntries(listType IPListType, filter, from, order string, limit int) ([]IPListEntry, error)
getRecentlyUpdatedIPListEntries(after int64) ([]IPListEntry, error)
dumpIPListEntries() ([]IPListEntry, error)
countIPListEntries(listType IPListType) (int64, error)
getListEntriesForIP(ip string, listType IPListType) ([]IPListEntry, error)
getConfigs() (Configs, error)
setConfigs(configs *Configs) error
checkAvailability() error
close() error
reloadConfig() error
initializeDatabase() error
migrateDatabase() error
revertDatabase(targetVersion int) error
resetDatabase() error
}
// SetAllowSelfConnections sets the desired behaviour for self connections
func SetAllowSelfConnections(value int) {
allowSelfConnections = value
}
// SetTempPath sets the path for temporary files
func SetTempPath(fsPath string) {
tempPath = fsPath
}
func checkSharedMode() {
if !slices.Contains(sharedProviders, config.Driver) {
config.IsShared = 0
}
}
// Initialize the data provider.
// An error is returned if the configured driver is invalid or if the data provider cannot be initialized
func Initialize(cnf Config, basePath string, checkAdmins bool) error {
config = cnf
checkSharedMode()
config.Actions.ExecuteOn = util.RemoveDuplicates(config.Actions.ExecuteOn, true)
config.Actions.ExecuteFor = util.RemoveDuplicates(config.Actions.ExecuteFor, true)
cnf.BackupsPath = getConfigPath(cnf.BackupsPath, basePath)
if cnf.BackupsPath == "" {
return fmt.Errorf("required directory is invalid, backup path %q", cnf.BackupsPath)
}
absoluteBackupPath, err := util.GetAbsolutePath(cnf.BackupsPath)
if err != nil {
return fmt.Errorf("unable to get absolute backup path: %w", err)
}
config.BackupsPath = absoluteBackupPath
if err := initializeHashingAlgo(&cnf); err != nil {
return err
}
if err := validateHooks(); err != nil {
return err
}
if err := createProvider(basePath); err != nil {
return err
}
if err := checkDatabase(checkAdmins); err != nil {
return err
}
admins, err := provider.getAdmins(1, 0, OrderASC)
if err != nil {
return err
}
isAdminCreated.Store(len(admins) > 0)
if err := config.Node.validate(); err != nil {
return err
}
delayedQuotaUpdater.start()
if currentNode != nil {
config.BackupsPath = filepath.Join(config.BackupsPath, currentNode.Name)
}
providerLog(logger.LevelDebug, "absolute backup path %q", config.BackupsPath)
return startScheduler()
}
func checkDatabase(checkAdmins bool) error {
if config.UpdateMode == 0 {
err := provider.initializeDatabase()
if err != nil && err != ErrNoInitRequired {
logger.WarnToConsole("unable to initialize data provider: %v", err)
providerLog(logger.LevelError, "unable to initialize data provider: %v", err)
return err
}
if err == nil {
logger.DebugToConsole("data provider successfully initialized")
providerLog(logger.LevelInfo, "data provider successfully initialized")
}
err = provider.migrateDatabase()
if err != nil && err != ErrNoInitRequired {
providerLog(logger.LevelError, "database migration error: %v", err)
return err
}
if checkAdmins && config.CreateDefaultAdmin {
err = checkDefaultAdmin()
if err != nil {
providerLog(logger.LevelError, "erro checking the default admin: %v", err)
return err
}
}
} else {
providerLog(logger.LevelInfo, "database initialization/migration skipped, manual mode is configured")
}
return nil
}
func validateHooks() error {
var hooks []string
if config.PreLoginHook != "" && !strings.HasPrefix(config.PreLoginHook, "http") {
hooks = append(hooks, config.PreLoginHook)
}
if config.ExternalAuthHook != "" && !strings.HasPrefix(config.ExternalAuthHook, "http") {
hooks = append(hooks, config.ExternalAuthHook)
}
if config.PostLoginHook != "" && !strings.HasPrefix(config.PostLoginHook, "http") {
hooks = append(hooks, config.PostLoginHook)
}
if config.CheckPasswordHook != "" && !strings.HasPrefix(config.CheckPasswordHook, "http") {
hooks = append(hooks, config.CheckPasswordHook)
}
for _, hook := range hooks {
if !filepath.IsAbs(hook) {
return fmt.Errorf("invalid hook: %q must be an absolute path", hook)
}
_, err := os.Stat(hook)
if err != nil {
providerLog(logger.LevelError, "invalid hook: %v", err)
return err
}
}
return nil
}
// GetBackupsPath returns the normalized backups path
func GetBackupsPath() string {
return config.BackupsPath
}
// GetProviderFromValue returns the FilesystemProvider matching the specified value.
// If no match is found LocalFilesystemProvider is returned.
func GetProviderFromValue(value string) sdk.FilesystemProvider {
val, err := strconv.Atoi(value)
if err != nil {
return sdk.LocalFilesystemProvider
}
result := sdk.FilesystemProvider(val)
if sdk.IsProviderSupported(result) {
return result
}
return sdk.LocalFilesystemProvider
}
func initializeHashingAlgo(cnf *Config) error {
parallelism := cnf.PasswordHashing.Argon2Options.Parallelism
if parallelism == 0 {
parallelism = uint8(runtime.NumCPU())
}
argon2Params = &argon2id.Params{
Memory: cnf.PasswordHashing.Argon2Options.Memory,
Iterations: cnf.PasswordHashing.Argon2Options.Iterations,
Parallelism: parallelism,
SaltLength: 16,
KeyLength: 32,
}
if config.PasswordHashing.Algo == HashingAlgoBcrypt {
if config.PasswordHashing.BcryptOptions.Cost > bcrypt.MaxCost {
err := fmt.Errorf("invalid bcrypt cost %v, max allowed %v", config.PasswordHashing.BcryptOptions.Cost, bcrypt.MaxCost)
logger.WarnToConsole("Unable to initialize data provider: %v", err)
providerLog(logger.LevelError, "Unable to initialize data provider: %v", err)
return err
}
}
return nil
}
func validateSQLTablesPrefix() error {
initSQLTables()
if config.SQLTablesPrefix != "" {
for _, char := range config.SQLTablesPrefix {
if !strings.Contains(sqlPrefixValidChars, strings.ToLower(string(char))) {
return errors.New("invalid sql_tables_prefix only chars in range 'a..z', 'A..Z', '0-9' and '_' are allowed")
}
}
sqlTableUsers = config.SQLTablesPrefix + sqlTableUsers
sqlTableFolders = config.SQLTablesPrefix + sqlTableFolders
sqlTableUsersFoldersMapping = config.SQLTablesPrefix + sqlTableUsersFoldersMapping
sqlTableAdmins = config.SQLTablesPrefix + sqlTableAdmins
sqlTableAPIKeys = config.SQLTablesPrefix + sqlTableAPIKeys
sqlTableShares = config.SQLTablesPrefix + sqlTableShares
sqlTableDefenderEvents = config.SQLTablesPrefix + sqlTableDefenderEvents
sqlTableDefenderHosts = config.SQLTablesPrefix + sqlTableDefenderHosts
sqlTableActiveTransfers = config.SQLTablesPrefix + sqlTableActiveTransfers
sqlTableGroups = config.SQLTablesPrefix + sqlTableGroups
sqlTableUsersGroupsMapping = config.SQLTablesPrefix + sqlTableUsersGroupsMapping
sqlTableAdminsGroupsMapping = config.SQLTablesPrefix + sqlTableAdminsGroupsMapping
sqlTableGroupsFoldersMapping = config.SQLTablesPrefix + sqlTableGroupsFoldersMapping
sqlTableSharedSessions = config.SQLTablesPrefix + sqlTableSharedSessions
sqlTableEventsActions = config.SQLTablesPrefix + sqlTableEventsActions
sqlTableEventsRules = config.SQLTablesPrefix + sqlTableEventsRules
sqlTableRulesActionsMapping = config.SQLTablesPrefix + sqlTableRulesActionsMapping
sqlTableTasks = config.SQLTablesPrefix + sqlTableTasks
sqlTableNodes = config.SQLTablesPrefix + sqlTableNodes
sqlTableRoles = config.SQLTablesPrefix + sqlTableRoles
sqlTableIPLists = config.SQLTablesPrefix + sqlTableIPLists
sqlTableConfigs = config.SQLTablesPrefix + sqlTableConfigs
sqlTableSchemaVersion = config.SQLTablesPrefix + sqlTableSchemaVersion
providerLog(logger.LevelDebug, "sql table for users %q, folders %q users folders mapping %q admins %q "+
"api keys %q shares %q defender hosts %q defender events %q transfers %q groups %q "+
"users groups mapping %q admins groups mapping %q groups folders mapping %q shared sessions %q "+
"schema version %q events actions %q events rules %q rules actions mapping %q tasks %q nodes %q roles %q"+
"ip lists %q configs %q",
sqlTableUsers, sqlTableFolders, sqlTableUsersFoldersMapping, sqlTableAdmins, sqlTableAPIKeys,
sqlTableShares, sqlTableDefenderHosts, sqlTableDefenderEvents, sqlTableActiveTransfers, sqlTableGroups,
sqlTableUsersGroupsMapping, sqlTableAdminsGroupsMapping, sqlTableGroupsFoldersMapping, sqlTableSharedSessions,
sqlTableSchemaVersion, sqlTableEventsActions, sqlTableEventsRules, sqlTableRulesActionsMapping,
sqlTableTasks, sqlTableNodes, sqlTableRoles, sqlTableIPLists, sqlTableConfigs)
}
return nil
}
func checkDefaultAdmin() error {
admins, err := provider.getAdmins(1, 0, OrderASC)
if err != nil {
return err
}
if len(admins) > 0 {
return nil
}
logger.Debug(logSender, "", "no admins found, try to create the default one")
// we need to create the default admin
admin := &Admin{}
if err := admin.setFromEnv(); err != nil {
return err
}
return provider.addAdmin(admin)
}
// InitializeDatabase creates the initial database structure
func InitializeDatabase(cnf Config, basePath string) error {
config = cnf
if err := initializeHashingAlgo(&cnf); err != nil {
return err
}
err := createProvider(basePath)
if err != nil {
return err
}
err = provider.initializeDatabase()
if err != nil && err != ErrNoInitRequired {
return err
}
return provider.migrateDatabase()
}
// RevertDatabase restores schema and/or data to a previous version
func RevertDatabase(cnf Config, basePath string, targetVersion int) error {
config = cnf
err := createProvider(basePath)
if err != nil {
return err
}
err = provider.initializeDatabase()
if err != nil && err != ErrNoInitRequired {
return err
}
return provider.revertDatabase(targetVersion)
}
// ResetDatabase restores schema and/or data to a previous version
func ResetDatabase(cnf Config, basePath string) error {
config = cnf
if err := createProvider(basePath); err != nil {
return err
}
return provider.resetDatabase()
}
// CheckAdminAndPass validates the given admin and password connecting from ip
func CheckAdminAndPass(username, password, ip string) (Admin, error) {
username = config.convertName(username)
return provider.validateAdminAndPass(username, password, ip)
}
// CheckCachedUserCredentials checks the credentials for a cached user
func CheckCachedUserCredentials(user *CachedUser, password, ip, loginMethod, protocol string, tlsCert *x509.Certificate) (*CachedUser, *User, error) {
if !user.User.skipExternalAuth() && isExternalAuthConfigured(loginMethod) {
u, _, err := CheckCompositeCredentials(user.User.Username, password, ip, loginMethod, protocol, tlsCert)
if err != nil {
return nil, nil, err
}
webDAVUsersCache.swap(&u, password)
cu, _ := webDAVUsersCache.get(u.Username)
return cu, &u, nil
}
if err := user.User.CheckLoginConditions(); err != nil {
return user, nil, err
}
if loginMethod == LoginMethodPassword && user.User.Filters.IsAnonymous {
return user, nil, nil
}
if loginMethod != LoginMethodPassword {
_, err := checkUserAndTLSCertificate(&user.User, protocol, tlsCert)
if err != nil {
return user, nil, err
}
if loginMethod == LoginMethodTLSCertificate {
if !user.User.IsLoginMethodAllowed(LoginMethodTLSCertificate, protocol) {
return user, nil, fmt.Errorf("certificate login method is not allowed for user %q", user.User.Username)
}
return user, nil, nil
}
}
if password == "" {
return user, nil, ErrInvalidCredentials
}
if user.Password != "" {
if password == user.Password {
return user, nil, nil
}
} else {
if ok, _ := isPasswordOK(&user.User, password); ok {
return user, nil, nil
}
}
return user, nil, ErrInvalidCredentials
}
// CheckCompositeCredentials checks multiple credentials.
// WebDAV users can send both a password and a TLS certificate within the same request
func CheckCompositeCredentials(username, password, ip, loginMethod, protocol string, tlsCert *x509.Certificate) (User, string, error) {
username = config.convertName(username)
if loginMethod == LoginMethodPassword {
user, err := CheckUserAndPass(username, password, ip, protocol)
return user, loginMethod, err
}
user, err := CheckUserBeforeTLSAuth(username, ip, protocol, tlsCert)
if err != nil {
return user, loginMethod, err
}
if !user.IsTLSVerificationEnabled() {
// for backward compatibility with 2.0.x we only check the password and change the login method here
// in future updates we have to return an error
user, err := CheckUserAndPass(username, password, ip, protocol)
return user, LoginMethodPassword, err
}
user, err = checkUserAndTLSCertificate(&user, protocol, tlsCert)
if err != nil {
return user, loginMethod, err
}
if loginMethod == LoginMethodTLSCertificate && !user.IsLoginMethodAllowed(LoginMethodTLSCertificate, protocol) {
return user, loginMethod, fmt.Errorf("certificate login method is not allowed for user %q", user.Username)
}
if loginMethod == LoginMethodTLSCertificateAndPwd {
if plugin.Handler.HasAuthScope(plugin.AuthScopePassword) {
user, err = doPluginAuth(username, password, nil, ip, protocol, nil, plugin.AuthScopePassword)
} else if config.ExternalAuthHook != "" && (config.ExternalAuthScope == 0 || config.ExternalAuthScope&1 != 0) {
user, err = doExternalAuth(username, password, nil, "", ip, protocol, nil)
} else if config.PreLoginHook != "" {
user, err = executePreLoginHook(username, LoginMethodPassword, ip, protocol, nil)
}
if err != nil {
return user, loginMethod, err
}
user, err = checkUserAndPass(&user, password, ip, protocol)
}
return user, loginMethod, err
}
// CheckUserBeforeTLSAuth checks if a user exits before trying mutual TLS
func CheckUserBeforeTLSAuth(username, ip, protocol string, tlsCert *x509.Certificate) (User, error) {
username = config.convertName(username)
if plugin.Handler.HasAuthScope(plugin.AuthScopeTLSCertificate) {
user, err := doPluginAuth(username, "", nil, ip, protocol, tlsCert, plugin.AuthScopeTLSCertificate)
if err != nil {
return user, err
}
err = user.LoadAndApplyGroupSettings()
return user, err
}
if config.ExternalAuthHook != "" && (config.ExternalAuthScope == 0 || config.ExternalAuthScope&8 != 0) {
user, err := doExternalAuth(username, "", nil, "", ip, protocol, tlsCert)
if err != nil {
return user, err
}
err = user.LoadAndApplyGroupSettings()
return user, err
}
if config.PreLoginHook != "" {
user, err := executePreLoginHook(username, LoginMethodTLSCertificate, ip, protocol, nil)
if err != nil {
return user, err
}
err = user.LoadAndApplyGroupSettings()
return user, err
}
user, err := UserExists(username, "")
if err != nil {
return user, err
}
err = user.LoadAndApplyGroupSettings()
return user, err
}
// CheckUserAndTLSCert returns the SFTPGo user with the given username and check if the
// given TLS certificate allow authentication without password
func CheckUserAndTLSCert(username, ip, protocol string, tlsCert *x509.Certificate) (User, error) {
username = config.convertName(username)
if plugin.Handler.HasAuthScope(plugin.AuthScopeTLSCertificate) {
user, err := doPluginAuth(username, "", nil, ip, protocol, tlsCert, plugin.AuthScopeTLSCertificate)
if err != nil {
return user, err
}
return checkUserAndTLSCertificate(&user, protocol, tlsCert)
}
if config.ExternalAuthHook != "" && (config.ExternalAuthScope == 0 || config.ExternalAuthScope&8 != 0) {
user, err := doExternalAuth(username, "", nil, "", ip, protocol, tlsCert)
if err != nil {
return user, err
}
return checkUserAndTLSCertificate(&user, protocol, tlsCert)
}
if config.PreLoginHook != "" {
user, err := executePreLoginHook(username, LoginMethodTLSCertificate, ip, protocol, nil)
if err != nil {
return user, err
}
return checkUserAndTLSCertificate(&user, protocol, tlsCert)
}
return provider.validateUserAndTLSCert(username, protocol, tlsCert)
}
// CheckUserAndPass retrieves the SFTPGo user with the given username and password if a match is found or an error
func CheckUserAndPass(username, password, ip, protocol string) (User, error) {
username = config.convertName(username)
if plugin.Handler.HasAuthScope(plugin.AuthScopePassword) {
user, err := doPluginAuth(username, password, nil, ip, protocol, nil, plugin.AuthScopePassword)
if err != nil {
return user, err
}
return checkUserAndPass(&user, password, ip, protocol)
}
if config.ExternalAuthHook != "" && (config.ExternalAuthScope == 0 || config.ExternalAuthScope&1 != 0) {
user, err := doExternalAuth(username, password, nil, "", ip, protocol, nil)
if err != nil {
return user, err
}
return checkUserAndPass(&user, password, ip, protocol)
}
if config.PreLoginHook != "" {
user, err := executePreLoginHook(username, LoginMethodPassword, ip, protocol, nil)
if err != nil {
return user, err
}
return checkUserAndPass(&user, password, ip, protocol)
}
return provider.validateUserAndPass(username, password, ip, protocol)
}
// CheckUserAndPubKey retrieves the SFTP user with the given username and public key if a match is found or an error
func CheckUserAndPubKey(username string, pubKey []byte, ip, protocol string, isSSHCert bool) (User, string, error) {
username = config.convertName(username)
if plugin.Handler.HasAuthScope(plugin.AuthScopePublicKey) {
user, err := doPluginAuth(username, "", pubKey, ip, protocol, nil, plugin.AuthScopePublicKey)
if err != nil {
return user, "", err
}
return checkUserAndPubKey(&user, pubKey, isSSHCert)
}
if config.ExternalAuthHook != "" && (config.ExternalAuthScope == 0 || config.ExternalAuthScope&2 != 0) {
user, err := doExternalAuth(username, "", pubKey, "", ip, protocol, nil)
if err != nil {
return user, "", err
}
return checkUserAndPubKey(&user, pubKey, isSSHCert)
}
if config.PreLoginHook != "" {
user, err := executePreLoginHook(username, SSHLoginMethodPublicKey, ip, protocol, nil)
if err != nil {
return user, "", err
}
return checkUserAndPubKey(&user, pubKey, isSSHCert)
}
return provider.validateUserAndPubKey(username, pubKey, isSSHCert)
}
// CheckKeyboardInteractiveAuth checks the keyboard interactive authentication and returns
// the authenticated user or an error
func CheckKeyboardInteractiveAuth(username, authHook string, client ssh.KeyboardInteractiveChallenge,
ip, protocol string, isPartialAuth bool,
) (User, error) {
var user User
var err error
username = config.convertName(username)
if plugin.Handler.HasAuthScope(plugin.AuthScopeKeyboardInteractive) {
user, err = doPluginAuth(username, "", nil, ip, protocol, nil, plugin.AuthScopeKeyboardInteractive)
} else if config.ExternalAuthHook != "" && (config.ExternalAuthScope == 0 || config.ExternalAuthScope&4 != 0) {
user, err = doExternalAuth(username, "", nil, "1", ip, protocol, nil)
} else if config.PreLoginHook != "" {
user, err = executePreLoginHook(username, SSHLoginMethodKeyboardInteractive, ip, protocol, nil)
} else {
user, err = provider.userExists(username, "")
}
if err != nil {
return user, err
}
return doKeyboardInteractiveAuth(&user, authHook, client, ip, protocol, isPartialAuth)
}
// GetFTPPreAuthUser returns the SFTPGo user with the specified username
// after receiving the FTP "USER" command.
// If a pre-login hook is defined it will be executed so the SFTPGo user
// can be created if it does not exist
func GetFTPPreAuthUser(username, ip string) (User, error) {
var user User
var err error
if config.PreLoginHook != "" {
user, err = executePreLoginHook(username, "", ip, protocolFTP, nil)
} else {
user, err = UserExists(username, "")
}
if err != nil {
return user, err
}
err = user.LoadAndApplyGroupSettings()
return user, err
}
// GetUserAfterIDPAuth returns the SFTPGo user with the specified username
// after a successful authentication with an external identity provider.
// If a pre-login hook is defined it will be executed so the SFTPGo user
// can be created if it does not exist
func GetUserAfterIDPAuth(username, ip, protocol string, oidcTokenFields *map[string]any) (User, error) {
var user User
var err error
if config.PreLoginHook != "" {
user, err = executePreLoginHook(username, LoginMethodIDP, ip, protocol, oidcTokenFields)
user.Filters.RequirePasswordChange = false
} else {
user, err = UserExists(username, "")
}
if err != nil {
return user, err
}
err = user.LoadAndApplyGroupSettings()
return user, err
}
// GetDefenderHosts returns hosts that are banned or for which some violations have been detected
func GetDefenderHosts(from int64, limit int) ([]DefenderEntry, error) {
return provider.getDefenderHosts(from, limit)
}
// GetDefenderHostByIP returns a defender host by ip, if any
func GetDefenderHostByIP(ip string, from int64) (DefenderEntry, error) {
return provider.getDefenderHostByIP(ip, from)
}
// IsDefenderHostBanned returns a defender entry and no error if the specified host is banned
func IsDefenderHostBanned(ip string) (DefenderEntry, error) {
return provider.isDefenderHostBanned(ip)
}
// UpdateDefenderBanTime increments ban time for the specified ip
func UpdateDefenderBanTime(ip string, minutes int) error {
return provider.updateDefenderBanTime(ip, minutes)
}
// DeleteDefenderHost removes the specified IP from the defender lists
func DeleteDefenderHost(ip string) error {
return provider.deleteDefenderHost(ip)
}
// AddDefenderEvent adds an event for the given IP with the given score
// and returns the host with the updated score
func AddDefenderEvent(ip string, score int, from int64) (DefenderEntry, error) {
if err := provider.addDefenderEvent(ip, score); err != nil {
return DefenderEntry{}, err
}
return provider.getDefenderHostByIP(ip, from)
}
// SetDefenderBanTime sets the ban time for the specified IP
func SetDefenderBanTime(ip string, banTime int64) error {
return provider.setDefenderBanTime(ip, banTime)
}
// CleanupDefender removes events and hosts older than "from" from the data provider
func CleanupDefender(from int64) error {
return provider.cleanupDefender(from)
}
// UpdateShareLastUse updates the LastUseAt and UsedTokens for the given share
func UpdateShareLastUse(share *Share, numTokens int) error {
return provider.updateShareLastUse(share.ShareID, numTokens)
}
// UpdateAPIKeyLastUse updates the LastUseAt field for the given API key
func UpdateAPIKeyLastUse(apiKey *APIKey) error {
lastUse := util.GetTimeFromMsecSinceEpoch(apiKey.LastUseAt)
diff := -time.Until(lastUse)
if diff < 0 || diff > lastLoginMinDelay {
return provider.updateAPIKeyLastUse(apiKey.KeyID)
}
return nil
}
// UpdateLastLogin updates the last login field for the given SFTPGo user
func UpdateLastLogin(user *User) {
delay := lastLoginMinDelay
if user.Filters.ExternalAuthCacheTime > 0 {
delay = time.Duration(user.Filters.ExternalAuthCacheTime) * time.Second
}
if user.LastLogin <= user.UpdatedAt || !isLastActivityRecent(user.LastLogin, delay) {
err := provider.updateLastLogin(user.Username)
if err == nil {
webDAVUsersCache.updateLastLogin(user.Username)
}
}
}
// UpdateAdminLastLogin updates the last login field for the given SFTPGo admin
func UpdateAdminLastLogin(admin *Admin) {
if !isLastActivityRecent(admin.LastLogin, lastLoginMinDelay) {
provider.updateAdminLastLogin(admin.Username) //nolint:errcheck
}
}
// UpdateUserQuota updates the quota for the given SFTPGo user adding filesAdd and sizeAdd.
// If reset is true filesAdd and sizeAdd indicates the total files and the total size instead of the difference.
func UpdateUserQuota(user *User, filesAdd int, sizeAdd int64, reset bool) error {
if config.TrackQuota == 0 {
return util.NewMethodDisabledError(trackQuotaDisabledError)
} else if config.TrackQuota == 2 && !reset && !user.HasQuotaRestrictions() {
return nil
}
if filesAdd == 0 && sizeAdd == 0 && !reset {
return nil
}
if config.DelayedQuotaUpdate == 0 || reset {
if reset {
delayedQuotaUpdater.resetUserQuota(user.Username)
}
return provider.updateQuota(user.Username, filesAdd, sizeAdd, reset)
}
delayedQuotaUpdater.updateUserQuota(user.Username, filesAdd, sizeAdd)
return nil
}
// UpdateUserFolderQuota updates the quota for the given user and virtual folder.
func UpdateUserFolderQuota(folder *vfs.VirtualFolder, user *User, filesAdd int, sizeAdd int64, reset bool) {
if folder.IsIncludedInUserQuota() {
UpdateUserQuota(user, filesAdd, sizeAdd, reset) //nolint:errcheck
return
}
UpdateVirtualFolderQuota(&folder.BaseVirtualFolder, filesAdd, sizeAdd, reset) //nolint:errcheck
}
// UpdateVirtualFolderQuota updates the quota for the given virtual folder adding filesAdd and sizeAdd.
// If reset is true filesAdd and sizeAdd indicates the total files and the total size instead of the difference.
func UpdateVirtualFolderQuota(vfolder *vfs.BaseVirtualFolder, filesAdd int, sizeAdd int64, reset bool) error {
if config.TrackQuota == 0 {
return util.NewMethodDisabledError(trackQuotaDisabledError)
}
if filesAdd == 0 && sizeAdd == 0 && !reset {
return nil
}
if config.DelayedQuotaUpdate == 0 || reset {
if reset {
delayedQuotaUpdater.resetFolderQuota(vfolder.Name)
}
return provider.updateFolderQuota(vfolder.Name, filesAdd, sizeAdd, reset)
}
delayedQuotaUpdater.updateFolderQuota(vfolder.Name, filesAdd, sizeAdd)
return nil
}
// UpdateUserTransferQuota updates the transfer quota for the given SFTPGo user.
// If reset is true uploadSize and downloadSize indicates the actual sizes instead of the difference.
func UpdateUserTransferQuota(user *User, uploadSize, downloadSize int64, reset bool) error {
if config.TrackQuota == 0 {
return util.NewMethodDisabledError(trackQuotaDisabledError)
} else if config.TrackQuota == 2 && !reset && !user.HasTransferQuotaRestrictions() {
return nil
}
if downloadSize == 0 && uploadSize == 0 && !reset {
return nil
}
if config.DelayedQuotaUpdate == 0 || reset {
if reset {
delayedQuotaUpdater.resetUserTransferQuota(user.Username)
}
return provider.updateTransferQuota(user.Username, uploadSize, downloadSize, reset)
}
delayedQuotaUpdater.updateUserTransferQuota(user.Username, uploadSize, downloadSize)
return nil
}
// UpdateUserTransferTimestamps updates the first download/upload fields if unset
func UpdateUserTransferTimestamps(username string, isUpload bool) error {
if isUpload {
err := provider.setFirstUploadTimestamp(username)
if err != nil {
providerLog(logger.LevelWarn, "unable to set first upload: %v", err)
}
return err
}
err := provider.setFirstDownloadTimestamp(username)
if err != nil {
providerLog(logger.LevelWarn, "unable to set first download: %v", err)
}
return err
}
// GetUsedQuota returns the used quota for the given SFTPGo user.
func GetUsedQuota(username string) (int, int64, int64, int64, error) {
if config.TrackQuota == 0 {
return 0, 0, 0, 0, util.NewMethodDisabledError(trackQuotaDisabledError)
}
files, size, ulTransferSize, dlTransferSize, err := provider.getUsedQuota(username)
if err != nil {
return files, size, ulTransferSize, dlTransferSize, err
}
delayedFiles, delayedSize := delayedQuotaUpdater.getUserPendingQuota(username)
delayedUlTransferSize, delayedDLTransferSize := delayedQuotaUpdater.getUserPendingTransferQuota(username)
return files + delayedFiles, size + delayedSize, ulTransferSize + delayedUlTransferSize,
dlTransferSize + delayedDLTransferSize, err
}
// GetUsedVirtualFolderQuota returns the used quota for the given virtual folder.
func GetUsedVirtualFolderQuota(name string) (int, int64, error) {
if config.TrackQuota == 0 {
return 0, 0, util.NewMethodDisabledError(trackQuotaDisabledError)
}
files, size, err := provider.getUsedFolderQuota(name)
if err != nil {
return files, size, err
}
delayedFiles, delayedSize := delayedQuotaUpdater.getFolderPendingQuota(name)
return files + delayedFiles, size + delayedSize, err
}
// GetConfigs returns the configurations
func GetConfigs() (Configs, error) {
return provider.getConfigs()
}
// UpdateConfigs updates configurations
func UpdateConfigs(configs *Configs, executor, ipAddress, role string) error {
if configs == nil {
configs = &Configs{}
} else {
configs.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())
}
err := provider.setConfigs(configs)
if err == nil {
executeAction(operationUpdate, executor, ipAddress, actionObjectConfigs, "configs", role, configs)
}
return err
}
// AddShare adds a new share
func AddShare(share *Share, executor, ipAddress, role string) error {
err := provider.addShare(share)
if err == nil {
executeAction(operationAdd, executor, ipAddress, actionObjectShare, share.ShareID, role, share)
}
return err
}
// UpdateShare updates an existing share
func UpdateShare(share *Share, executor, ipAddress, role string) error {
err := provider.updateShare(share)
if err == nil {
executeAction(operationUpdate, executor, ipAddress, actionObjectShare, share.ShareID, role, share)
}
return err
}
// DeleteShare deletes an existing share
func DeleteShare(shareID string, executor, ipAddress, role string) error {
share, err := provider.shareExists(shareID, executor)
if err != nil {
return err
}
err = provider.deleteShare(share)
if err == nil {
executeAction(operationDelete, executor, ipAddress, actionObjectShare, shareID, role, &share)
}
return err
}
// ShareExists returns the share with the given ID if it exists
func ShareExists(shareID, username string) (Share, error) {
if shareID == "" {
return Share{}, util.NewRecordNotFoundError(fmt.Sprintf("Share %q does not exist", shareID))
}
return provider.shareExists(shareID, username)
}
// AddIPListEntry adds a new IP list entry
func AddIPListEntry(entry *IPListEntry, executor, ipAddress, executorRole string) error {
err := provider.addIPListEntry(entry)
if err == nil {
executeAction(operationAdd, executor, ipAddress, actionObjectIPListEntry, entry.getName(), executorRole, entry)
for _, l := range inMemoryLists {
l.addEntry(entry)
}
}
return err
}
// UpdateIPListEntry updates an existing IP list entry
func UpdateIPListEntry(entry *IPListEntry, executor, ipAddress, executorRole string) error {
err := provider.updateIPListEntry(entry)
if err == nil {
executeAction(operationUpdate, executor, ipAddress, actionObjectIPListEntry, entry.getName(), executorRole, entry)
for _, l := range inMemoryLists {
l.updateEntry(entry)
}
}
return err
}
// DeleteIPListEntry deletes an existing IP list entry
func DeleteIPListEntry(ipOrNet string, listType IPListType, executor, ipAddress, executorRole string) error {
entry, err := provider.ipListEntryExists(ipOrNet, listType)
if err != nil {
return err
}
err = provider.deleteIPListEntry(entry, config.IsShared == 1)
if err == nil {
executeAction(operationDelete, executor, ipAddress, actionObjectIPListEntry, entry.getName(), executorRole, &entry)
for _, l := range inMemoryLists {
l.removeEntry(&entry)
}
}
return err
}
// IPListEntryExists returns the IP list entry with the given IP/net and type if it exists
func IPListEntryExists(ipOrNet string, listType IPListType) (IPListEntry, error) {
return provider.ipListEntryExists(ipOrNet, listType)
}
// GetIPListEntries returns the IP list entries applying the specified criteria and search limit
func GetIPListEntries(listType IPListType, filter, from, order string, limit int) ([]IPListEntry, error) {
if !slices.Contains(supportedIPListType, listType) {
return nil, util.NewValidationError(fmt.Sprintf("invalid list type %d", listType))
}
return provider.getIPListEntries(listType, filter, from, order, limit)
}
// AddRole adds a new role
func AddRole(role *Role, executor, ipAddress, executorRole string) error {
role.Name = config.convertName(role.Name)
err := provider.addRole(role)
if err == nil {
executeAction(operationAdd, executor, ipAddress, actionObjectRole, role.Name, executorRole, role)
}
return err
}
// UpdateRole updates an existing Role
func UpdateRole(role *Role, executor, ipAddress, executorRole string) error {
err := provider.updateRole(role)
if err == nil {
executeAction(operationUpdate, executor, ipAddress, actionObjectRole, role.Name, executorRole, role)
}
return err
}
// DeleteRole deletes an existing Role
func DeleteRole(name string, executor, ipAddress, executorRole string) error {
name = config.convertName(name)
role, err := provider.roleExists(name)
if err != nil {
return err
}
if len(role.Admins) > 0 {
errorString := fmt.Sprintf("the role %q is referenced, it cannot be removed", role.Name)
return util.NewValidationError(errorString)
}
err = provider.deleteRole(role)
if err == nil {
executeAction(operationDelete, executor, ipAddress, actionObjectRole, role.Name, executorRole, &role)
for _, user := range role.Users {
provider.setUpdatedAt(user)
u, err := provider.userExists(user, "")
if err == nil {
webDAVUsersCache.swap(&u, "")
executeAction(operationUpdate, executor, ipAddress, actionObjectUser, u.Username, u.Role, &u)
}
}
}
return err
}
// RoleExists returns the Role with the given name if it exists
func RoleExists(name string) (Role, error) {
name = config.convertName(name)
return provider.roleExists(name)
}
// AddGroup adds a new group
func AddGroup(group *Group, executor, ipAddress, role string) error {
group.Name = config.convertName(group.Name)
err := provider.addGroup(group)
if err == nil {
executeAction(operationAdd, executor, ipAddress, actionObjectGroup, group.Name, role, group)
}
return err
}
// UpdateGroup updates an existing Group
func UpdateGroup(group *Group, users []string, executor, ipAddress, role string) error {
err := provider.updateGroup(group)
if err == nil {
for _, user := range users {
provider.setUpdatedAt(user)
u, err := provider.userExists(user, "")
if err == nil {
webDAVUsersCache.swap(&u, "")
} else {
RemoveCachedWebDAVUser(user)
}
}
executeAction(operationUpdate, executor, ipAddress, actionObjectGroup, group.Name, role, group)
}
return err
}
// DeleteGroup deletes an existing Group
func DeleteGroup(name string, executor, ipAddress, role string) error {
name = config.convertName(name)
group, err := provider.groupExists(name)
if err != nil {
return err
}
if len(group.Users) > 0 {
errorString := fmt.Sprintf("the group %q is referenced, it cannot be removed", group.Name)
return util.NewValidationError(errorString)
}
err = provider.deleteGroup(group)
if err == nil {
for _, user := range group.Users {
provider.setUpdatedAt(user)
u, err := provider.userExists(user, "")
if err == nil {
executeAction(operationUpdate, executor, ipAddress, actionObjectUser, u.Username, u.Role, &u)
}
RemoveCachedWebDAVUser(user)
}
executeAction(operationDelete, executor, ipAddress, actionObjectGroup, group.Name, role, &group)
}
return err
}
// GroupExists returns the Group with the given name if it exists
func GroupExists(name string) (Group, error) {
name = config.convertName(name)
return provider.groupExists(name)
}
// AddAPIKey adds a new API key
func AddAPIKey(apiKey *APIKey, executor, ipAddress, role string) error {
err := provider.addAPIKey(apiKey)
if err == nil {
executeAction(operationAdd, executor, ipAddress, actionObjectAPIKey, apiKey.KeyID, role, apiKey)
}
return err
}
// UpdateAPIKey updates an existing API key
func UpdateAPIKey(apiKey *APIKey, executor, ipAddress, role string) error {
err := provider.updateAPIKey(apiKey)
if err == nil {
executeAction(operationUpdate, executor, ipAddress, actionObjectAPIKey, apiKey.KeyID, role, apiKey)
}
return err
}
// DeleteAPIKey deletes an existing API key
func DeleteAPIKey(keyID string, executor, ipAddress, role string) error {
apiKey, err := provider.apiKeyExists(keyID)
if err != nil {
return err
}
err = provider.deleteAPIKey(apiKey)
if err == nil {
executeAction(operationDelete, executor, ipAddress, actionObjectAPIKey, apiKey.KeyID, role, &apiKey)
cachedAPIKeys.Remove(keyID)
}
return err
}
// APIKeyExists returns the API key with the given ID if it exists
func APIKeyExists(keyID string) (APIKey, error) {
if keyID == "" {
return APIKey{}, util.NewRecordNotFoundError(fmt.Sprintf("API key %q does not exist", keyID))
}
return provider.apiKeyExists(keyID)
}
// GetEventActions returns an array of event actions respecting limit and offset
func GetEventActions(limit, offset int, order string, minimal bool) ([]BaseEventAction, error) {
return provider.getEventActions(limit, offset, order, minimal)
}
// EventActionExists returns the event action with the given name if it exists
func EventActionExists(name string) (BaseEventAction, error) {
name = config.convertName(name)
return provider.eventActionExists(name)
}
// AddEventAction adds a new event action
func AddEventAction(action *BaseEventAction, executor, ipAddress, role string) error {
action.Name = config.convertName(action.Name)
err := provider.addEventAction(action)
if err == nil {
executeAction(operationAdd, executor, ipAddress, actionObjectEventAction, action.Name, role, action)
}
return err
}
// UpdateEventAction updates an existing event action
func UpdateEventAction(action *BaseEventAction, executor, ipAddress, role string) error {
err := provider.updateEventAction(action)
if err == nil {
if fnReloadRules != nil {
fnReloadRules()
}
executeAction(operationUpdate, executor, ipAddress, actionObjectEventAction, action.Name, role, action)
}
return err
}
// DeleteEventAction deletes an existing event action
func DeleteEventAction(name string, executor, ipAddress, role string) error {
name = config.convertName(name)
action, err := provider.eventActionExists(name)
if err != nil {
return err
}
if len(action.Rules) > 0 {
errorString := fmt.Sprintf("the event action %#q is referenced, it cannot be removed", action.Name)
return util.NewValidationError(errorString)
}
err = provider.deleteEventAction(action)
if err == nil {
executeAction(operationDelete, executor, ipAddress, actionObjectEventAction, action.Name, role, &action)
}
return err
}
// GetEventRules returns an array of event rules respecting limit and offset
func GetEventRules(limit, offset int, order string) ([]EventRule, error) {
return provider.getEventRules(limit, offset, order)
}
// GetRecentlyUpdatedRules returns the event rules updated after the specified time
func GetRecentlyUpdatedRules(after int64) ([]EventRule, error) {
return provider.getRecentlyUpdatedRules(after)
}
// EventRuleExists returns the event rule with the given name if it exists
func EventRuleExists(name string) (EventRule, error) {
name = config.convertName(name)
return provider.eventRuleExists(name)
}
// AddEventRule adds a new event rule
func AddEventRule(rule *EventRule, executor, ipAddress, role string) error {
rule.Name = config.convertName(rule.Name)
err := provider.addEventRule(rule)
if err == nil {
if fnReloadRules != nil {
fnReloadRules()
}
executeAction(operationAdd, executor, ipAddress, actionObjectEventRule, rule.Name, role, rule)
}
return err
}
// UpdateEventRule updates an existing event rule
func UpdateEventRule(rule *EventRule, executor, ipAddress, role string) error {
err := provider.updateEventRule(rule)
if err == nil {
if fnReloadRules != nil {
fnReloadRules()
}
executeAction(operationUpdate, executor, ipAddress, actionObjectEventRule, rule.Name, role, rule)
}
return err
}
// DeleteEventRule deletes an existing event rule
func DeleteEventRule(name string, executor, ipAddress, role string) error {
name = config.convertName(name)
rule, err := provider.eventRuleExists(name)
if err != nil {
return err
}
err = provider.deleteEventRule(rule, config.IsShared == 1)
if err == nil {
if fnRemoveRule != nil {
fnRemoveRule(rule.Name)
}
executeAction(operationDelete, executor, ipAddress, actionObjectEventRule, rule.Name, role, &rule)
}
return err
}
// RemoveEventRule delets an existing event rule without marking it as deleted
func RemoveEventRule(rule EventRule) error {
return provider.deleteEventRule(rule, false)
}
// GetTaskByName returns the task with the specified name
func GetTaskByName(name string) (Task, error) {
return provider.getTaskByName(name)
}
// AddTask add a task with the specified name
func AddTask(name string) error {
return provider.addTask(name)
}
// UpdateTask updates the task with the specified name and version
func UpdateTask(name string, version int64) error {
return provider.updateTask(name, version)
}
// UpdateTaskTimestamp updates the timestamp for the task with the specified name
func UpdateTaskTimestamp(name string) error {
return provider.updateTaskTimestamp(name)
}
// GetNodes returns the other cluster nodes
func GetNodes() ([]Node, error) {
if currentNode == nil {
return nil, nil
}
nodes, err := provider.getNodes()
if err != nil {
providerLog(logger.LevelError, "unable to get other cluster nodes %v", err)
}
return nodes, err
}
// GetNodeByName returns a node, different from the current one, by name
func GetNodeByName(name string) (Node, error) {
if currentNode == nil {
return Node{}, util.NewRecordNotFoundError(errNoClusterNodes.Error())
}
if name == currentNode.Name {
return Node{}, util.NewValidationError(fmt.Sprintf("%s is the current node, it must refer to other nodes", name))
}
return provider.getNodeByName(name)
}
// HasAdmin returns true if the first admin has been created
// and so SFTPGo is ready to be used
func HasAdmin() bool {
return isAdminCreated.Load()
}
// AddAdmin adds a new SFTPGo admin
func AddAdmin(admin *Admin, executor, ipAddress, role string) error {
admin.Filters.RecoveryCodes = nil
admin.Filters.TOTPConfig = AdminTOTPConfig{
Enabled: false,
}
admin.Username = config.convertName(admin.Username)
err := provider.addAdmin(admin)
if err == nil {
isAdminCreated.Store(true)
executeAction(operationAdd, executor, ipAddress, actionObjectAdmin, admin.Username, role, admin)
}
return err
}
// UpdateAdmin updates an existing SFTPGo admin
func UpdateAdmin(admin *Admin, executor, ipAddress, role string) error {
err := provider.updateAdmin(admin)
if err == nil {
executeAction(operationUpdate, executor, ipAddress, actionObjectAdmin, admin.Username, role, admin)
}
return err
}
// DeleteAdmin deletes an existing SFTPGo admin
func DeleteAdmin(username, executor, ipAddress, role string) error {
username = config.convertName(username)
admin, err := provider.adminExists(username)
if err != nil {
return err
}
err = provider.deleteAdmin(admin)
if err == nil {
executeAction(operationDelete, executor, ipAddress, actionObjectAdmin, admin.Username, role, &admin)
cachedAdminPasswords.Remove(username)
}
return err
}
// AdminExists returns the admin with the given username if it exists
func AdminExists(username string) (Admin, error) {
username = config.convertName(username)
return provider.adminExists(username)
}
// UserExists checks if the given SFTPGo username exists, returns an error if no match is found
func UserExists(username, role string) (User, error) {
username = config.convertName(username)
return provider.userExists(username, role)
}
// GetAdminSignature returns the signature for the admin with the specified
// username.
func GetAdminSignature(username string) (string, error) {
username = config.convertName(username)
return provider.getAdminSignature(username)
}
// GetUserSignature returns the signature for the user with the specified
// username.
func GetUserSignature(username string) (string, error) {
username = config.convertName(username)
return provider.getUserSignature(username)
}
// GetUserWithGroupSettings tries to return the user with the specified username
// loading also the group settings
func GetUserWithGroupSettings(username, role string) (User, error) {
username = config.convertName(username)
user, err := provider.userExists(username, role)
if err != nil {
return user, err
}
err = user.LoadAndApplyGroupSettings()
return user, err
}
// GetUserVariants tries to return the user with the specified username with and without
// group settings applied
func GetUserVariants(username, role string) (User, User, error) {
username = config.convertName(username)
user, err := provider.userExists(username, role)
if err != nil {
return user, User{}, err
}
userWithGroupSettings := user.getACopy()
err = userWithGroupSettings.LoadAndApplyGroupSettings()
return user, userWithGroupSettings, err
}
// AddUser adds a new SFTPGo user.
func AddUser(user *User, executor, ipAddress, role string) error {
user.Username = config.convertName(user.Username)
err := provider.addUser(user)
if err == nil {
executeAction(operationAdd, executor, ipAddress, actionObjectUser, user.Username, role, user)
}
return err
}
// UpdateUserPassword updates the user password
func UpdateUserPassword(username, plainPwd, executor, ipAddress, role string) error {
user, err := provider.userExists(username, role)
if err != nil {
return err
}
userCopy := user.getACopy()
if err := userCopy.LoadAndApplyGroupSettings(); err != nil {
return err
}
userCopy.Password = plainPwd
if err := createUserPasswordHash(&userCopy); err != nil {
return err
}
user.LastPasswordChange = userCopy.LastPasswordChange
user.Password = userCopy.Password
user.Filters.RequirePasswordChange = false
// the last password change is set when validating the user
if err := provider.updateUser(&user); err != nil {
return err
}
webDAVUsersCache.swap(&user, plainPwd)
executeAction(operationUpdate, executor, ipAddress, actionObjectUser, username, role, &user)
return nil
}
// UpdateUser updates an existing SFTPGo user.
func UpdateUser(user *User, executor, ipAddress, role string) error {
if user.groupSettingsApplied {
return errors.New("cannot save a user with group settings applied")
}
err := provider.updateUser(user)
if err == nil {
webDAVUsersCache.swap(user, "")
executeAction(operationUpdate, executor, ipAddress, actionObjectUser, user.Username, role, user)
}
return err
}
// DeleteUser deletes an existing SFTPGo user.
func DeleteUser(username, executor, ipAddress, role string) error {
username = config.convertName(username)
user, err := provider.userExists(username, role)
if err != nil {
return err
}
err = provider.deleteUser(user, config.IsShared == 1)
if err == nil {
RemoveCachedWebDAVUser(user.Username)
delayedQuotaUpdater.resetUserQuota(user.Username)
cachedUserPasswords.Remove(username)
executeAction(operationDelete, executor, ipAddress, actionObjectUser, user.Username, role, &user)
}
return err
}
// AddActiveTransfer stores the specified transfer
func AddActiveTransfer(transfer ActiveTransfer) {
if err := provider.addActiveTransfer(transfer); err != nil {
providerLog(logger.LevelError, "unable to add transfer id %v, connection id %v: %v",
transfer.ID, transfer.ConnID, err)
}
}
// UpdateActiveTransferSizes updates the current upload and download sizes for the specified transfer
func UpdateActiveTransferSizes(ulSize, dlSize, transferID int64, connectionID string) {
if err := provider.updateActiveTransferSizes(ulSize, dlSize, transferID, connectionID); err != nil {
providerLog(logger.LevelError, "unable to update sizes for transfer id %v, connection id %v: %v",
transferID, connectionID, err)
}
}
// RemoveActiveTransfer removes the specified transfer
func RemoveActiveTransfer(transferID int64, connectionID string) {
if err := provider.removeActiveTransfer(transferID, connectionID); err != nil {
providerLog(logger.LevelError, "unable to delete transfer id %v, connection id %v: %v",
transferID, connectionID, err)
}
}
// CleanupActiveTransfers removes the transfer before the specified time
func CleanupActiveTransfers(before time.Time) error {
err := provider.cleanupActiveTransfers(before)
if err == nil {
providerLog(logger.LevelDebug, "deleted active transfers updated before: %v", before)
} else {
providerLog(logger.LevelError, "error deleting active transfers updated before %v: %v", before, err)
}
return err
}
// GetActiveTransfers retrieves the active transfers with an update time after the specified value
func GetActiveTransfers(from time.Time) ([]ActiveTransfer, error) {
return provider.getActiveTransfers(from)
}
// AddSharedSession stores a new session within the data provider
func AddSharedSession(session Session) error {
err := provider.addSharedSession(session)
if err != nil {
providerLog(logger.LevelError, "unable to add shared session, key %q, type: %v, err: %v",
session.Key, session.Type, err)
}
return err
}
// DeleteSharedSession deletes the session with the specified key
func DeleteSharedSession(key string) error {
err := provider.deleteSharedSession(key)
if err != nil {
providerLog(logger.LevelError, "unable to add shared session, key %q, err: %v", key, err)
}
return err
}
// GetSharedSession retrieves the session with the specified key
func GetSharedSession(key string) (Session, error) {
return provider.getSharedSession(key)
}
// CleanupSharedSessions removes the shared session with the specified type and
// before the specified time
func CleanupSharedSessions(sessionType SessionType, before time.Time) error {
err := provider.cleanupSharedSessions(sessionType, util.GetTimeAsMsSinceEpoch(before))
if err == nil {
providerLog(logger.LevelDebug, "deleted shared sessions before: %v, type: %v", before, sessionType)
} else {
providerLog(logger.LevelError, "error deleting shared session before %v, type %v: %v", before, sessionType, err)
}
return err
}
// ReloadConfig reloads provider configuration.
// Currently only implemented for memory provider, allows to reload the users
// from the configured file, if defined
func ReloadConfig() error {
return provider.reloadConfig()
}
// GetShares returns an array of shares respecting limit and offset
func GetShares(limit, offset int, order, username string) ([]Share, error) {
return provider.getShares(limit, offset, order, username)
}
// GetAPIKeys returns an array of API keys respecting limit and offset
func GetAPIKeys(limit, offset int, order string) ([]APIKey, error) {
return provider.getAPIKeys(limit, offset, order)
}
// GetAdmins returns an array of admins respecting limit and offset
func GetAdmins(limit, offset int, order string) ([]Admin, error) {
return provider.getAdmins(limit, offset, order)
}
// GetRoles returns an array of roles respecting limit and offset
func GetRoles(limit, offset int, order string, minimal bool) ([]Role, error) {
return provider.getRoles(limit, offset, order, minimal)
}
// GetGroups returns an array of groups respecting limit and offset
func GetGroups(limit, offset int, order string, minimal bool) ([]Group, error) {
return provider.getGroups(limit, offset, order, minimal)
}
// GetUsers returns an array of users respecting limit and offset
func GetUsers(limit, offset int, order, role string) ([]User, error) {
return provider.getUsers(limit, offset, order, role)
}
// GetUsersForQuotaCheck returns the users with the fields required for a quota check
func GetUsersForQuotaCheck(toFetch map[string]bool) ([]User, error) {
return provider.getUsersForQuotaCheck(toFetch)
}
// AddFolder adds a new virtual folder.
func AddFolder(folder *vfs.BaseVirtualFolder, executor, ipAddress, role string) error {
folder.Name = config.convertName(folder.Name)
err := provider.addFolder(folder)
if err == nil {
executeAction(operationAdd, executor, ipAddress, actionObjectFolder, folder.Name, role, &wrappedFolder{Folder: *folder})
}
return err
}
// UpdateFolder updates the specified virtual folder
func UpdateFolder(folder *vfs.BaseVirtualFolder, users []string, groups []string, executor, ipAddress, role string) error {
err := provider.updateFolder(folder)
if err == nil {
executeAction(operationUpdate, executor, ipAddress, actionObjectFolder, folder.Name, role, &wrappedFolder{Folder: *folder})
usersInGroups, errGrp := provider.getUsersInGroups(groups)
if errGrp == nil {
users = append(users, usersInGroups...)
users = util.RemoveDuplicates(users, false)
} else {
providerLog(logger.LevelWarn, "unable to get users in groups %+v: %v", groups, errGrp)
}
for _, user := range users {
provider.setUpdatedAt(user)
u, err := provider.userExists(user, "")
if err == nil {
webDAVUsersCache.swap(&u, "")
executeAction(operationUpdate, executor, ipAddress, actionObjectUser, u.Username, u.Role, &u)
} else {
RemoveCachedWebDAVUser(user)
}
}
}
return err
}
// DeleteFolder deletes an existing folder.
func DeleteFolder(folderName, executor, ipAddress, role string) error {
folderName = config.convertName(folderName)
folder, err := provider.getFolderByName(folderName)
if err != nil {
return err
}
err = provider.deleteFolder(folder)
if err == nil {
executeAction(operationDelete, executor, ipAddress, actionObjectFolder, folder.Name, role, &wrappedFolder{Folder: folder})
users := folder.Users
usersInGroups, errGrp := provider.getUsersInGroups(folder.Groups)
if errGrp == nil {
users = append(users, usersInGroups...)
users = util.RemoveDuplicates(users, false)
} else {
providerLog(logger.LevelWarn, "unable to get users in groups %+v: %v", folder.Groups, errGrp)
}
for _, user := range users {
provider.setUpdatedAt(user)
u, err := provider.userExists(user, "")
if err == nil {
executeAction(operationUpdate, executor, ipAddress, actionObjectUser, u.Username, u.Role, &u)
}
RemoveCachedWebDAVUser(user)
}
delayedQuotaUpdater.resetFolderQuota(folderName)
}
return err
}
// GetFolderByName returns the folder with the specified name if any
func GetFolderByName(name string) (vfs.BaseVirtualFolder, error) {
name = config.convertName(name)
return provider.getFolderByName(name)
}
// GetFolders returns an array of folders respecting limit and offset
func GetFolders(limit, offset int, order string, minimal bool) ([]vfs.BaseVirtualFolder, error) {
return provider.getFolders(limit, offset, order, minimal)
}
func dumpUsers(data *BackupData, scopes []string) error {
if len(scopes) == 0 || slices.Contains(scopes, DumpScopeUsers) {
users, err := provider.dumpUsers()
if err != nil {
return err
}
data.Users = users
}
return nil
}
func dumpFolders(data *BackupData, scopes []string) error {
if len(scopes) == 0 || slices.Contains(scopes, DumpScopeFolders) {
folders, err := provider.dumpFolders()
if err != nil {
return err
}
data.Folders = folders
}
return nil
}
func dumpGroups(data *BackupData, scopes []string) error {
if len(scopes) == 0 || slices.Contains(scopes, DumpScopeGroups) {
groups, err := provider.dumpGroups()
if err != nil {
return err
}
data.Groups = groups
}
return nil
}
func dumpAdmins(data *BackupData, scopes []string) error {
if len(scopes) == 0 || slices.Contains(scopes, DumpScopeAdmins) {
admins, err := provider.dumpAdmins()
if err != nil {
return err
}
data.Admins = admins
}
return nil
}
func dumpAPIKeys(data *BackupData, scopes []string) error {
if len(scopes) == 0 || slices.Contains(scopes, DumpScopeAPIKeys) {
apiKeys, err := provider.dumpAPIKeys()
if err != nil {
return err
}
data.APIKeys = apiKeys
}
return nil
}
func dumpShares(data *BackupData, scopes []string) error {
if len(scopes) == 0 || slices.Contains(scopes, DumpScopeShares) {
shares, err := provider.dumpShares()
if err != nil {
return err
}
data.Shares = shares
}
return nil
}
func dumpActions(data *BackupData, scopes []string) error {
if len(scopes) == 0 || slices.Contains(scopes, DumpScopeActions) {
actions, err := provider.dumpEventActions()
if err != nil {
return err
}
data.EventActions = actions
}
return nil
}
func dumpRules(data *BackupData, scopes []string) error {
if len(scopes) == 0 || slices.Contains(scopes, DumpScopeRules) {
rules, err := provider.dumpEventRules()
if err != nil {
return err
}
data.EventRules = rules
}
return nil
}
func dumpRoles(data *BackupData, scopes []string) error {
if len(scopes) == 0 || slices.Contains(scopes, DumpScopeRoles) {
roles, err := provider.dumpRoles()
if err != nil {
return err
}
data.Roles = roles
}
return nil
}
func dumpIPLists(data *BackupData, scopes []string) error {
if len(scopes) == 0 || slices.Contains(scopes, DumpScopeIPLists) {
ipLists, err := provider.dumpIPListEntries()
if err != nil {
return err
}
data.IPLists = ipLists
}
return nil
}
func dumpConfigs(data *BackupData, scopes []string) error {
if len(scopes) == 0 || slices.Contains(scopes, DumpScopeConfigs) {
configs, err := provider.getConfigs()
if err != nil {
return err
}
data.Configs = &configs
}
return nil
}
// DumpData returns a dump containing the requested scopes.
// Empty scopes means all
func DumpData(scopes []string) (BackupData, error) {
data := BackupData{
Version: DumpVersion,
}
if err := dumpGroups(&data, scopes); err != nil {
return data, err
}
if err := dumpUsers(&data, scopes); err != nil {
return data, err
}
if err := dumpFolders(&data, scopes); err != nil {
return data, err
}
if err := dumpAdmins(&data, scopes); err != nil {
return data, err
}
if err := dumpAPIKeys(&data, scopes); err != nil {
return data, err
}
if err := dumpShares(&data, scopes); err != nil {
return data, err
}
if err := dumpActions(&data, scopes); err != nil {
return data, err
}
if err := dumpRules(&data, scopes); err != nil {
return data, err
}
if err := dumpRoles(&data, scopes); err != nil {
return data, err
}
if err := dumpIPLists(&data, scopes); err != nil {
return data, err
}
if err := dumpConfigs(&data, scopes); err != nil {
return data, err
}
return data, nil
}
// ParseDumpData tries to parse data as BackupData
func ParseDumpData(data []byte) (BackupData, error) {
var dump BackupData
err := json.Unmarshal(data, &dump)
return dump, err
}
// GetProviderConfig returns the current provider configuration
func GetProviderConfig() Config {
return config
}
// GetProviderStatus returns an error if the provider is not available
func GetProviderStatus() ProviderStatus {
err := provider.checkAvailability()
status := ProviderStatus{
Driver: config.Driver,
}
if err == nil {
status.IsActive = true
} else {
status.IsActive = false
status.Error = err.Error()
}
return status
}
// Close releases all provider resources.
// This method is used in test cases.
// Closing an uninitialized provider is not supported
func Close() error {
stopScheduler()
return provider.close()
}
func createProvider(basePath string) error {
sqlPlaceholders = getSQLPlaceholders()
if err := validateSQLTablesPrefix(); err != nil {
return err
}
logSender = fmt.Sprintf("dataprovider_%v", config.Driver)
switch config.Driver {
case SQLiteDataProviderName:
return initializeSQLiteProvider(basePath)
case PGSQLDataProviderName, CockroachDataProviderName:
return initializePGSQLProvider()
case MySQLDataProviderName:
return initializeMySQLProvider()
case BoltDataProviderName:
return initializeBoltProvider(basePath)
case MemoryDataProviderName:
if err := initializeMemoryProvider(basePath); err != nil {
logger.Warn(logSender, "", "provider initialized but data loading failed: %v", err)
logger.WarnToConsole("provider initialized but data loading failed: %v", err)
}
return nil
default:
return fmt.Errorf("unsupported data provider: %v", config.Driver)
}
}
func copyBaseUserFilters(in sdk.BaseUserFilters) sdk.BaseUserFilters {
filters := sdk.BaseUserFilters{}
filters.MaxUploadFileSize = in.MaxUploadFileSize
filters.TLSUsername = in.TLSUsername
filters.UserType = in.UserType
filters.AllowedIP = make([]string, len(in.AllowedIP))
copy(filters.AllowedIP, in.AllowedIP)
filters.DeniedIP = make([]string, len(in.DeniedIP))
copy(filters.DeniedIP, in.DeniedIP)
filters.DeniedLoginMethods = make([]string, len(in.DeniedLoginMethods))
copy(filters.DeniedLoginMethods, in.DeniedLoginMethods)
filters.FilePatterns = make([]sdk.PatternsFilter, len(in.FilePatterns))
copy(filters.FilePatterns, in.FilePatterns)
filters.DeniedProtocols = make([]string, len(in.DeniedProtocols))
copy(filters.DeniedProtocols, in.DeniedProtocols)
filters.TwoFactorAuthProtocols = make([]string, len(in.TwoFactorAuthProtocols))
copy(filters.TwoFactorAuthProtocols, in.TwoFactorAuthProtocols)
filters.Hooks.ExternalAuthDisabled = in.Hooks.ExternalAuthDisabled
filters.Hooks.PreLoginDisabled = in.Hooks.PreLoginDisabled
filters.Hooks.CheckPasswordDisabled = in.Hooks.CheckPasswordDisabled
filters.DisableFsChecks = in.DisableFsChecks
filters.StartDirectory = in.StartDirectory
filters.FTPSecurity = in.FTPSecurity
filters.IsAnonymous = in.IsAnonymous
filters.AllowAPIKeyAuth = in.AllowAPIKeyAuth
filters.ExternalAuthCacheTime = in.ExternalAuthCacheTime
filters.DefaultSharesExpiration = in.DefaultSharesExpiration
filters.MaxSharesExpiration = in.MaxSharesExpiration
filters.PasswordExpiration = in.PasswordExpiration
filters.PasswordStrength = in.PasswordStrength
filters.WebClient = make([]string, len(in.WebClient))
copy(filters.WebClient, in.WebClient)
filters.TLSCerts = make([]string, len(in.TLSCerts))
copy(filters.TLSCerts, in.TLSCerts)
filters.BandwidthLimits = make([]sdk.BandwidthLimit, 0, len(in.BandwidthLimits))
for _, limit := range in.BandwidthLimits {
bwLimit := sdk.BandwidthLimit{
UploadBandwidth: limit.UploadBandwidth,
DownloadBandwidth: limit.DownloadBandwidth,
Sources: make([]string, 0, len(limit.Sources)),
}
bwLimit.Sources = make([]string, len(limit.Sources))
copy(bwLimit.Sources, limit.Sources)
filters.BandwidthLimits = append(filters.BandwidthLimits, bwLimit)
}
filters.AccessTime = make([]sdk.TimePeriod, 0, len(in.AccessTime))
for _, period := range in.AccessTime {
filters.AccessTime = append(filters.AccessTime, sdk.TimePeriod{
DayOfWeek: period.DayOfWeek,
From: period.From,
To: period.To,
})
}
return filters
}
func buildUserHomeDir(user *User) {
if user.HomeDir == "" {
if config.UsersBaseDir != "" {
user.HomeDir = filepath.Join(config.UsersBaseDir, user.Username)
return
}
switch user.FsConfig.Provider {
case sdk.SFTPFilesystemProvider, sdk.S3FilesystemProvider, sdk.AzureBlobFilesystemProvider, sdk.GCSFilesystemProvider, sdk.HTTPFilesystemProvider:
if tempPath != "" {
user.HomeDir = filepath.Join(tempPath, user.Username)
} else {
user.HomeDir = filepath.Join(os.TempDir(), user.Username)
}
}
} else {
user.HomeDir = filepath.Clean(user.HomeDir)
}
}
func validateFolderQuotaLimits(folder vfs.VirtualFolder) error {
if folder.QuotaSize < -1 {
return util.NewI18nError(
util.NewValidationError(fmt.Sprintf("invalid quota_size: %v folder path %q", folder.QuotaSize, folder.MappedPath)),
util.I18nErrorFolderQuotaSizeInvalid,
)
}
if folder.QuotaFiles < -1 {
return util.NewI18nError(
util.NewValidationError(fmt.Sprintf("invalid quota_file: %v folder path %q", folder.QuotaFiles, folder.MappedPath)),
util.I18nErrorFolderQuotaFileInvalid,
)
}
if (folder.QuotaSize == -1 && folder.QuotaFiles != -1) || (folder.QuotaFiles == -1 && folder.QuotaSize != -1) {
return util.NewI18nError(
util.NewValidationError(fmt.Sprintf("virtual folder quota_size and quota_files must be both -1 or >= 0, quota_size: %v quota_files: %v",
folder.QuotaFiles, folder.QuotaSize)),
util.I18nErrorFolderQuotaInvalid,
)
}
return nil
}
func validateUserGroups(user *User) error {
if len(user.Groups) == 0 {
return nil
}
hasPrimary := false
groupNames := make(map[string]bool)
for _, g := range user.Groups {
if g.Type < sdk.GroupTypePrimary && g.Type > sdk.GroupTypeMembership {
return util.NewValidationError(fmt.Sprintf("invalid group type: %v", g.Type))
}
if g.Type == sdk.GroupTypePrimary {
if hasPrimary {
return util.NewI18nError(
util.NewValidationError("only one primary group is allowed"),
util.I18nErrorPrimaryGroup,
)
}
hasPrimary = true
}
if groupNames[g.Name] {
return util.NewI18nError(
util.NewValidationError(fmt.Sprintf("the group %q is duplicated", g.Name)),
util.I18nErrorDuplicateGroup,
)
}
groupNames[g.Name] = true
}
return nil
}
func validateAssociatedVirtualFolders(vfolders []vfs.VirtualFolder) ([]vfs.VirtualFolder, error) {
if len(vfolders) == 0 {
return []vfs.VirtualFolder{}, nil
}
var virtualFolders []vfs.VirtualFolder
folderNames := make(map[string]bool)
for _, v := range vfolders {
if v.VirtualPath == "" {
return nil, util.NewI18nError(
util.NewValidationError("mount/virtual path is mandatory"),
util.I18nErrorFolderMountPathRequired,
)
}
cleanedVPath := util.CleanPath(v.VirtualPath)
if err := validateFolderQuotaLimits(v); err != nil {
return nil, err
}
if v.Name == "" {
return nil, util.NewI18nError(util.NewValidationError("folder name is mandatory"), util.I18nErrorFolderNameRequired)
}
if folderNames[v.Name] {
return nil, util.NewI18nError(
util.NewValidationError(fmt.Sprintf("the folder %q is duplicated", v.Name)),
util.I18nErrorDuplicatedFolders,
)
}
for _, vFolder := range virtualFolders {
if util.IsDirOverlapped(vFolder.VirtualPath, cleanedVPath, false, "/") {
return nil, util.NewI18nError(
util.NewValidationError(fmt.Sprintf("invalid virtual folder %q, it overlaps with virtual folder %q",
v.VirtualPath, vFolder.VirtualPath)),
util.I18nErrorOverlappedFolders,
)
}
}
virtualFolders = append(virtualFolders, vfs.VirtualFolder{
BaseVirtualFolder: vfs.BaseVirtualFolder{
Name: v.Name,
},
VirtualPath: cleanedVPath,
QuotaSize: v.QuotaSize,
QuotaFiles: v.QuotaFiles,
})
folderNames[v.Name] = true
}
return virtualFolders, nil
}
func validateUserTOTPConfig(c *UserTOTPConfig, username string) error {
if !c.Enabled {
c.ConfigName = ""
c.Secret = kms.NewEmptySecret()
c.Protocols = nil
return nil
}
if c.ConfigName == "" {
return util.NewValidationError("totp: config name is mandatory")
}
if !slices.Contains(mfa.GetAvailableTOTPConfigNames(), c.ConfigName) {
return util.NewValidationError(fmt.Sprintf("totp: config name %q not found", c.ConfigName))
}
if c.Secret.IsEmpty() {
return util.NewValidationError("totp: secret is mandatory")
}
if c.Secret.IsPlain() {
c.Secret.SetAdditionalData(username)
if err := c.Secret.Encrypt(); err != nil {
return util.NewValidationError(fmt.Sprintf("totp: unable to encrypt secret: %v", err))
}
}
if len(c.Protocols) == 0 {
return util.NewValidationError("totp: specify at least one protocol")
}
for _, protocol := range c.Protocols {
if !slices.Contains(MFAProtocols, protocol) {
return util.NewValidationError(fmt.Sprintf("totp: invalid protocol %q", protocol))
}
}
return nil
}
func validateUserRecoveryCodes(user *User) error {
for i := 0; i < len(user.Filters.RecoveryCodes); i++ {
code := &user.Filters.RecoveryCodes[i]
if code.Secret.IsEmpty() {
return util.NewValidationError("mfa: recovery code cannot be empty")
}
if code.Secret.IsPlain() {
code.Secret.SetAdditionalData(user.Username)
if err := code.Secret.Encrypt(); err != nil {
return util.NewValidationError(fmt.Sprintf("mfa: unable to encrypt recovery code: %v", err))
}
}
}
return nil
}
func validateUserPermissions(permsToCheck map[string][]string) (map[string][]string, error) {
permissions := make(map[string][]string)
for dir, perms := range permsToCheck {
if len(perms) == 0 && dir == "/" {
return permissions, util.NewValidationError(fmt.Sprintf("no permissions granted for the directory: %q", dir))
}
if len(perms) > len(ValidPerms) {
return permissions, util.NewValidationError("invalid permissions")
}
for _, p := range perms {
if !slices.Contains(ValidPerms, p) {
return permissions, util.NewValidationError(fmt.Sprintf("invalid permission: %q", p))
}
}
cleanedDir := filepath.ToSlash(path.Clean(dir))
if cleanedDir != "/" {
cleanedDir = strings.TrimSuffix(cleanedDir, "/")
}
if !path.IsAbs(cleanedDir) {
return permissions, util.NewValidationError(fmt.Sprintf("cannot set permissions for non absolute path: %q", dir))
}
if dir != cleanedDir && cleanedDir == "/" {
return permissions, util.NewValidationError(fmt.Sprintf("cannot set permissions for invalid subdirectory: %q is an alias for \"/\"", dir))
}
if slices.Contains(perms, PermAny) {
permissions[cleanedDir] = []string{PermAny}
} else {
permissions[cleanedDir] = util.RemoveDuplicates(perms, false)
}
}
return permissions, nil
}
func validatePermissions(user *User) error {
if len(user.Permissions) == 0 {
return util.NewI18nError(util.NewValidationError("please grant some permissions to this user"), util.I18nErrorNoPermission)
}
if _, ok := user.Permissions["/"]; !ok {
return util.NewI18nError(util.NewValidationError("permissions for the root dir \"/\" must be set"), util.I18nErrorNoRootPermission)
}
permissions, err := validateUserPermissions(user.Permissions)
if err != nil {
return util.NewI18nError(err, util.I18nErrorGenericPermission)
}
user.Permissions = permissions
return nil
}
func validatePublicKeys(user *User) error {
if len(user.PublicKeys) == 0 {
user.PublicKeys = []string{}
}
var validatedKeys []string
for idx, key := range user.PublicKeys {
if key == "" {
continue
}
out, _, _, _, err := ssh.ParseAuthorizedKey([]byte(key))
if err != nil {
return util.NewI18nError(
util.NewValidationError(fmt.Sprintf("error parsing public key at position %d: %v", idx, err)),
util.I18nErrorPubKeyInvalid,
)
}
if k, ok := out.(ssh.CryptoPublicKey); ok {
cryptoKey := k.CryptoPublicKey()
if rsaKey, ok := cryptoKey.(*rsa.PublicKey); ok {
if size := rsaKey.N.BitLen(); size < 2048 {
providerLog(logger.LevelError, "rsa key with size %d not accepted, minimum 2048", size)
return util.NewI18nError(
util.NewValidationError(fmt.Sprintf("invalid size %d for rsa key at position %d, minimum 2048",
size, idx)),
util.I18nErrorKeySizeInvalid,
)
}
}
}
validatedKeys = append(validatedKeys, key)
}
user.PublicKeys = util.RemoveDuplicates(validatedKeys, false)
return nil
}
func validateFiltersPatternExtensions(baseFilters *sdk.BaseUserFilters) error {
if len(baseFilters.FilePatterns) == 0 {
baseFilters.FilePatterns = []sdk.PatternsFilter{}
return nil
}
filteredPaths := []string{}
var filters []sdk.PatternsFilter
for _, f := range baseFilters.FilePatterns {
cleanedPath := filepath.ToSlash(path.Clean(f.Path))
if !path.IsAbs(cleanedPath) {
return util.NewI18nError(
util.NewValidationError(fmt.Sprintf("invalid path %q for file patterns filter", f.Path)),
util.I18nErrorFilePatternPathInvalid,
)
}
if slices.Contains(filteredPaths, cleanedPath) {
return util.NewI18nError(
util.NewValidationError(fmt.Sprintf("duplicate file patterns filter for path %q", f.Path)),
util.I18nErrorFilePatternDuplicated,
)
}
if len(f.AllowedPatterns) == 0 && len(f.DeniedPatterns) == 0 {
return util.NewValidationError(fmt.Sprintf("empty file patterns filter for path %q", f.Path))
}
if f.DenyPolicy < sdk.DenyPolicyDefault || f.DenyPolicy > sdk.DenyPolicyHide {
return util.NewValidationError(fmt.Sprintf("invalid deny policy %v for path %q", f.DenyPolicy, f.Path))
}
f.Path = cleanedPath
allowed := make([]string, 0, len(f.AllowedPatterns))
denied := make([]string, 0, len(f.DeniedPatterns))
for _, pattern := range f.AllowedPatterns {
_, err := path.Match(pattern, "abc")
if err != nil {
return util.NewI18nError(
util.NewValidationError(fmt.Sprintf("invalid file pattern filter %q", pattern)),
util.I18nErrorFilePatternInvalid,
)
}
allowed = append(allowed, strings.ToLower(pattern))
}
for _, pattern := range f.DeniedPatterns {
_, err := path.Match(pattern, "abc")
if err != nil {
return util.NewI18nError(
util.NewValidationError(fmt.Sprintf("invalid file pattern filter %q", pattern)),
util.I18nErrorFilePatternInvalid,
)
}
denied = append(denied, strings.ToLower(pattern))
}
f.AllowedPatterns = util.RemoveDuplicates(allowed, false)
f.DeniedPatterns = util.RemoveDuplicates(denied, false)
filters = append(filters, f)
filteredPaths = append(filteredPaths, cleanedPath)
}
baseFilters.FilePatterns = filters
return nil
}
func checkEmptyFiltersStruct(filters *sdk.BaseUserFilters) {
if len(filters.AllowedIP) == 0 {
filters.AllowedIP = []string{}
}
if len(filters.DeniedIP) == 0 {
filters.DeniedIP = []string{}
}
if len(filters.DeniedLoginMethods) == 0 {
filters.DeniedLoginMethods = []string{}
}
if len(filters.DeniedProtocols) == 0 {
filters.DeniedProtocols = []string{}
}
}
func validateIPFilters(filters *sdk.BaseUserFilters) error {
filters.DeniedIP = util.RemoveDuplicates(filters.DeniedIP, false)
for _, IPMask := range filters.DeniedIP {
_, _, err := net.ParseCIDR(IPMask)
if err != nil {
return util.NewValidationError(fmt.Sprintf("could not parse denied IP/Mask %q: %v", IPMask, err))
}
}
filters.AllowedIP = util.RemoveDuplicates(filters.AllowedIP, false)
for _, IPMask := range filters.AllowedIP {
_, _, err := net.ParseCIDR(IPMask)
if err != nil {
return util.NewValidationError(fmt.Sprintf("could not parse allowed IP/Mask %q: %v", IPMask, err))
}
}
return nil
}
func validateBandwidthLimit(bl sdk.BandwidthLimit) error {
if len(bl.Sources) == 0 {
return util.NewValidationError("no bandwidth limit source specified")
}
for _, source := range bl.Sources {
_, _, err := net.ParseCIDR(source)
if err != nil {
return util.NewValidationError(fmt.Sprintf("could not parse bandwidth limit source %q: %v", source, err))
}
}
return nil
}
func validateBandwidthLimitsFilter(filters *sdk.BaseUserFilters) error {
for idx, bandwidthLimit := range filters.BandwidthLimits {
if err := validateBandwidthLimit(bandwidthLimit); err != nil {
return err
}
if bandwidthLimit.DownloadBandwidth < 0 {
filters.BandwidthLimits[idx].DownloadBandwidth = 0
}
if bandwidthLimit.UploadBandwidth < 0 {
filters.BandwidthLimits[idx].UploadBandwidth = 0
}
}
return nil
}
func updateFiltersValues(filters *sdk.BaseUserFilters) {
if filters.StartDirectory != "" {
filters.StartDirectory = util.CleanPath(filters.StartDirectory)
if filters.StartDirectory == "/" {
filters.StartDirectory = ""
}
}
}
func validateFilterProtocols(filters *sdk.BaseUserFilters) error {
if len(filters.DeniedProtocols) >= len(ValidProtocols) {
return util.NewValidationError("invalid denied_protocols")
}
for _, p := range filters.DeniedProtocols {
if !slices.Contains(ValidProtocols, p) {
return util.NewValidationError(fmt.Sprintf("invalid denied protocol %q", p))
}
}
for _, p := range filters.TwoFactorAuthProtocols {
if !slices.Contains(MFAProtocols, p) {
return util.NewValidationError(fmt.Sprintf("invalid two factor protocol %q", p))
}
}
return nil
}
func validateTLSCerts(certs []string) ([]string, error) {
var validateCerts []string
for idx, cert := range certs {
if cert == "" {
continue
}
derBlock, _ := pem.Decode([]byte(cert))
if derBlock == nil {
return nil, util.NewI18nError(
util.NewValidationError(fmt.Sprintf("invalid TLS certificate %d", idx)),
util.I18nErrorInvalidTLSCert,
)
}
crt, err := x509.ParseCertificate(derBlock.Bytes)
if err != nil {
return nil, util.NewI18nError(
util.NewValidationError(fmt.Sprintf("error parsing TLS certificate %d", idx)),
util.I18nErrorInvalidTLSCert,
)
}
if crt.PublicKeyAlgorithm == x509.RSA {
if rsaCert, ok := crt.PublicKey.(*rsa.PublicKey); ok {
if size := rsaCert.N.BitLen(); size < 2048 {
providerLog(logger.LevelError, "rsa cert with size %d not accepted, minimum 2048", size)
return nil, util.NewI18nError(
util.NewValidationError(fmt.Sprintf("invalid size %d for rsa cert at position %d, minimum 2048",
size, idx)),
util.I18nErrorKeySizeInvalid,
)
}
}
}
validateCerts = append(validateCerts, cert)
}
return validateCerts, nil
}
func validateBaseFilters(filters *sdk.BaseUserFilters) error {
checkEmptyFiltersStruct(filters)
if err := validateIPFilters(filters); err != nil {
return util.NewI18nError(err, util.I18nErrorIPFiltersInvalid)
}
if err := validateBandwidthLimitsFilter(filters); err != nil {
return util.NewI18nError(err, util.I18nErrorSourceBWLimitInvalid)
}
if len(filters.DeniedLoginMethods) >= len(ValidLoginMethods) {
return util.NewValidationError("invalid denied_login_methods")
}
for _, loginMethod := range filters.DeniedLoginMethods {
if !slices.Contains(ValidLoginMethods, loginMethod) {
return util.NewValidationError(fmt.Sprintf("invalid login method: %q", loginMethod))
}
}
if err := validateFilterProtocols(filters); err != nil {
return err
}
if filters.TLSUsername != "" {
if !slices.Contains(validTLSUsernames, string(filters.TLSUsername)) {
return util.NewValidationError(fmt.Sprintf("invalid TLS username: %q", filters.TLSUsername))
}
}
certs, err := validateTLSCerts(filters.TLSCerts)
if err != nil {
return err
}
filters.TLSCerts = certs
for _, opts := range filters.WebClient {
if !slices.Contains(sdk.WebClientOptions, opts) {
return util.NewValidationError(fmt.Sprintf("invalid web client options %q", opts))
}
}
if filters.MaxSharesExpiration > 0 && filters.MaxSharesExpiration < filters.DefaultSharesExpiration {
return util.NewI18nError(
util.NewValidationError(fmt.Sprintf("default shares expiration: %d must be less than or equal to max shares expiration: %d",
filters.DefaultSharesExpiration, filters.MaxSharesExpiration)),
util.I18nErrorShareExpirationInvalid,
)
}
updateFiltersValues(filters)
if err := validateAccessTimeFilters(filters); err != nil {
return err
}
return validateFiltersPatternExtensions(filters)
}
func isTimeOfDayValid(value string) bool {
if len(value) != 5 {
return false
}
parts := strings.Split(value, ":")
if len(parts) != 2 {
return false
}
hour, err := strconv.Atoi(parts[0])
if err != nil {
return false
}
if hour < 0 || hour > 23 {
return false
}
minute, err := strconv.Atoi(parts[1])
if err != nil {
return false
}
if minute < 0 || minute > 59 {
return false
}
return true
}
func validateAccessTimeFilters(filters *sdk.BaseUserFilters) error {
for _, period := range filters.AccessTime {
if period.DayOfWeek < int(time.Sunday) || period.DayOfWeek > int(time.Saturday) {
return util.NewValidationError(fmt.Sprintf("invalid day of week: %d", period.DayOfWeek))
}
if !isTimeOfDayValid(period.From) || !isTimeOfDayValid(period.To) {
return util.NewI18nError(
util.NewValidationError("invalid time of day. Supported format: HH:MM"),
util.I18nErrorTimeOfDayInvalid,
)
}
if period.To <= period.From {
return util.NewI18nError(
util.NewValidationError("invalid time of day. The end time cannot be earlier than the start time"),
util.I18nErrorTimeOfDayConflict,
)
}
}
return nil
}
func validateCombinedUserFilters(user *User) error {
if user.Filters.TOTPConfig.Enabled && slices.Contains(user.Filters.WebClient, sdk.WebClientMFADisabled) {
return util.NewI18nError(
util.NewValidationError("two-factor authentication cannot be disabled for a user with an active configuration"),
util.I18nErrorDisableActive2FA,
)
}
if user.Filters.RequirePasswordChange && slices.Contains(user.Filters.WebClient, sdk.WebClientPasswordChangeDisabled) {
return util.NewI18nError(
util.NewValidationError("you cannot require password change and at the same time disallow it"),
util.I18nErrorPwdChangeConflict,
)
}
if len(user.Filters.TwoFactorAuthProtocols) > 0 && slices.Contains(user.Filters.WebClient, sdk.WebClientMFADisabled) {
return util.NewI18nError(
util.NewValidationError("you cannot require two-factor authentication and at the same time disallow it"),
util.I18nError2FAConflict,
)
}
return nil
}
func validateEmails(user *User) error {
if user.Email != "" && !util.IsEmailValid(user.Email) {
return util.NewI18nError(
util.NewValidationError(fmt.Sprintf("email %q is not valid", user.Email)),
util.I18nErrorInvalidEmail,
)
}
for _, email := range user.Filters.AdditionalEmails {
if !util.IsEmailValid(email) {
return util.NewI18nError(
util.NewValidationError(fmt.Sprintf("email %q is not valid", email)),
util.I18nErrorInvalidEmail,
)
}
}
return nil
}
func validateBaseParams(user *User) error {
if user.Username == "" {
return util.NewI18nError(util.NewValidationError("username is mandatory"), util.I18nErrorUsernameRequired)
}
if err := checkReservedUsernames(user.Username); err != nil {
return util.NewI18nError(err, util.I18nErrorReservedUsername)
}
if err := validateEmails(user); err != nil {
return err
}
if config.NamingRules&1 == 0 && !usernameRegex.MatchString(user.Username) {
return util.NewI18nError(
util.NewValidationError(fmt.Sprintf("username %q is not valid, the following characters are allowed: a-zA-Z0-9-_.~", user.Username)),
util.I18nErrorInvalidUser,
)
}
if user.hasRedactedSecret() {
return util.NewValidationError("cannot save a user with a redacted secret")
}
if user.HomeDir == "" {
return util.NewI18nError(util.NewValidationError("home_dir is mandatory"), util.I18nErrorHomeRequired)
}
// we can have users with no passwords and public keys, they can authenticate via SSH user certs or OIDC
/*if user.Password == "" && len(user.PublicKeys) == 0 {
return util.NewValidationError("please set a password or at least a public_key")
}*/
if !filepath.IsAbs(user.HomeDir) {
return util.NewI18nError(
util.NewValidationError(fmt.Sprintf("home_dir must be an absolute path, actual value: %v", user.HomeDir)),
util.I18nErrorHomeInvalid,
)
}
if user.DownloadBandwidth < 0 {
user.DownloadBandwidth = 0
}
if user.UploadBandwidth < 0 {
user.UploadBandwidth = 0
}
if user.TotalDataTransfer > 0 {
// if a total data transfer is defined we reset the separate upload and download limits
user.UploadDataTransfer = 0
user.DownloadDataTransfer = 0
}
if user.Filters.IsAnonymous {
user.setAnonymousSettings()
}
err := user.FsConfig.Validate(user.GetEncryptionAdditionalData())
if err != nil {
return err
}
return nil
}
func hashPlainPassword(plainPwd string) (string, error) {
if config.PasswordHashing.Algo == HashingAlgoBcrypt {
pwd, err := bcrypt.GenerateFromPassword([]byte(plainPwd), config.PasswordHashing.BcryptOptions.Cost)
if err != nil {
return "", fmt.Errorf("bcrypt hashing error: %w", err)
}
return util.BytesToString(pwd), nil
}
pwd, err := argon2id.CreateHash(plainPwd, argon2Params)
if err != nil {
return "", fmt.Errorf("argon2ID hashing error: %w", err)
}
return pwd, nil
}
func createUserPasswordHash(user *User) error {
if user.Password != "" && !user.IsPasswordHashed() {
if minEntropy := user.getMinPasswordEntropy(); minEntropy > 0 {
if err := passwordvalidator.Validate(user.Password, minEntropy); err != nil {
return util.NewI18nError(util.NewValidationError(err.Error()), util.I18nErrorPasswordComplexity)
}
}
hashedPwd, err := hashPlainPassword(user.Password)
if err != nil {
return err
}
user.Password = hashedPwd
user.LastPasswordChange = util.GetTimeAsMsSinceEpoch(time.Now())
}
return nil
}
// ValidateFolder returns an error if the folder is not valid
// FIXME: this should be defined as Folder struct method
func ValidateFolder(folder *vfs.BaseVirtualFolder) error {
folder.FsConfig.SetEmptySecretsIfNil()
if folder.Name == "" {
return util.NewI18nError(util.NewValidationError("folder name is mandatory"), util.I18nErrorNameRequired)
}
if config.NamingRules&1 == 0 && !usernameRegex.MatchString(folder.Name) {
return util.NewI18nError(
util.NewValidationError(fmt.Sprintf("folder name %q is not valid, the following characters are allowed: a-zA-Z0-9-_.~", folder.Name)),
util.I18nErrorInvalidName,
)
}
if folder.FsConfig.Provider == sdk.LocalFilesystemProvider || folder.FsConfig.Provider == sdk.CryptedFilesystemProvider ||
folder.MappedPath != "" {
cleanedMPath := filepath.Clean(folder.MappedPath)
if !filepath.IsAbs(cleanedMPath) {
return util.NewI18nError(
util.NewValidationError(fmt.Sprintf("invalid folder mapped path %q", folder.MappedPath)),
util.I18nErrorInvalidHomeDir,
)
}
folder.MappedPath = cleanedMPath
}
if folder.HasRedactedSecret() {
return errors.New("cannot save a folder with a redacted secret")
}
return folder.FsConfig.Validate(folder.GetEncryptionAdditionalData())
}
// ValidateUser returns an error if the user is not valid
// FIXME: this should be defined as User struct method
func ValidateUser(user *User) error {
user.OIDCCustomFields = nil
user.HasPassword = false
user.SetEmptySecretsIfNil()
buildUserHomeDir(user)
if err := validateBaseParams(user); err != nil {
return err
}
if err := validateUserGroups(user); err != nil {
return err
}
if err := validatePermissions(user); err != nil {
return err
}
if err := validateUserTOTPConfig(&user.Filters.TOTPConfig, user.Username); err != nil {
return util.NewI18nError(err, util.I18nError2FAInvalid)
}
if err := validateUserRecoveryCodes(user); err != nil {
return util.NewI18nError(err, util.I18nErrorRecoveryCodesInvalid)
}
vfolders, err := validateAssociatedVirtualFolders(user.VirtualFolders)
if err != nil {
return err
}
user.VirtualFolders = vfolders
if user.Status < 0 || user.Status > 1 {
return util.NewValidationError(fmt.Sprintf("invalid user status: %v", user.Status))
}
if err := createUserPasswordHash(user); err != nil {
return err
}
if err := validatePublicKeys(user); err != nil {
return err
}
if err := validateBaseFilters(&user.Filters.BaseUserFilters); err != nil {
return err
}
if !user.HasExternalAuth() {
user.Filters.ExternalAuthCacheTime = 0
}
return validateCombinedUserFilters(user)
}
func isPasswordOK(user *User, password string) (bool, error) {
if config.PasswordCaching {
found, match := cachedUserPasswords.Check(user.Username, password, user.Password)
if found {
return match, nil
}
}
match := false
updatePwd := true
var err error
switch {
case strings.HasPrefix(user.Password, bcryptPwdPrefix):
if err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password)); err != nil {
return match, ErrInvalidCredentials
}
match = true
updatePwd = config.PasswordHashing.Algo != HashingAlgoBcrypt
case strings.HasPrefix(user.Password, argonPwdPrefix):
match, err = argon2id.ComparePasswordAndHash(password, user.Password)
if err != nil {
providerLog(logger.LevelError, "error comparing password with argon hash: %v", err)
return match, err
}
updatePwd = config.PasswordHashing.Algo != HashingAlgoArgon2ID
case util.IsStringPrefixInSlice(user.Password, unixPwdPrefixes):
match, err = compareUnixPasswordAndHash(user, password)
if err != nil {
return match, err
}
case util.IsStringPrefixInSlice(user.Password, pbkdfPwdPrefixes):
match, err = comparePbkdf2PasswordAndHash(password, user.Password)
if err != nil {
return match, err
}
case util.IsStringPrefixInSlice(user.Password, digestPwdPrefixes):
match = compareDigestPasswordAndHash(user, password)
}
if err == nil && match {
cachedUserPasswords.Add(user.Username, password, user.Password)
if updatePwd {
convertUserPassword(user.Username, password)
}
}
return match, err
}
func convertUserPassword(username, plainPwd string) {
hashedPwd, err := hashPlainPassword(plainPwd)
if err == nil {
err = provider.updateUserPassword(username, hashedPwd)
}
if err != nil {
providerLog(logger.LevelWarn, "unable to convert password for user %s: %v", username, err)
} else {
providerLog(logger.LevelDebug, "password converted for user %s", username)
}
}
func checkUserAndTLSCertificate(user *User, protocol string, tlsCert *x509.Certificate) (User, error) {
err := user.LoadAndApplyGroupSettings()
if err != nil {
return *user, err
}
err = user.CheckLoginConditions()
if err != nil {
return *user, err
}
switch protocol {
case protocolFTP, protocolWebDAV:
for _, cert := range user.Filters.TLSCerts {
derBlock, _ := pem.Decode(util.StringToBytes(cert))
if derBlock != nil && bytes.Equal(derBlock.Bytes, tlsCert.Raw) {
return *user, nil
}
}
if user.Filters.TLSUsername == sdk.TLSUsernameCN {
if user.Username == tlsCert.Subject.CommonName {
return *user, nil
}
return *user, fmt.Errorf("CN %q does not match username %q", tlsCert.Subject.CommonName, user.Username)
}
return *user, errors.New("TLS certificate is not valid")
default:
return *user, fmt.Errorf("certificate authentication is not supported for protocol %v", protocol)
}
}
func checkUserAndPass(user *User, password, ip, protocol string) (User, error) {
err := user.LoadAndApplyGroupSettings()
if err != nil {
return *user, err
}
err = user.CheckLoginConditions()
if err != nil {
return *user, err
}
if protocol != protocolHTTP && user.MustChangePassword() {
return *user, errors.New("login not allowed, password change required")
}
if user.Filters.IsAnonymous {
user.setAnonymousSettings()
return *user, nil
}
password, err = checkUserPasscode(user, password, protocol)
if err != nil {
return *user, ErrInvalidCredentials
}
if user.Password == "" || password == "" {
return *user, errors.New("credentials cannot be null or empty")
}
if !user.Filters.Hooks.CheckPasswordDisabled {
hookResponse, err := executeCheckPasswordHook(user.Username, password, ip, protocol)
if err != nil {
providerLog(logger.LevelDebug, "error executing check password hook for user %q, ip %v, protocol %v: %v",
user.Username, ip, protocol, err)
return *user, errors.New("unable to check credentials")
}
switch hookResponse.Status {
case -1:
// no hook configured
case 1:
providerLog(logger.LevelDebug, "password accepted by check password hook for user %q, ip %v, protocol %v",
user.Username, ip, protocol)
return *user, nil
case 2:
providerLog(logger.LevelDebug, "partial success from check password hook for user %q, ip %v, protocol %v",
user.Username, ip, protocol)
password = hookResponse.ToVerify
default:
providerLog(logger.LevelDebug, "password rejected by check password hook for user %q, ip %v, protocol %v, status: %v",
user.Username, ip, protocol, hookResponse.Status)
return *user, ErrInvalidCredentials
}
}
match, err := isPasswordOK(user, password)
if !match {
err = ErrInvalidCredentials
}
return *user, err
}
func checkUserPasscode(user *User, password, protocol string) (string, error) {
if user.Filters.TOTPConfig.Enabled {
switch protocol {
case protocolFTP:
if slices.Contains(user.Filters.TOTPConfig.Protocols, protocol) {
// the TOTP passcode has six digits
pwdLen := len(password)
if pwdLen < 7 {
providerLog(logger.LevelDebug, "password len %v is too short to contain a passcode, user %q, protocol %v",
pwdLen, user.Username, protocol)
return "", util.NewValidationError("password too short, cannot contain the passcode")
}
err := user.Filters.TOTPConfig.Secret.TryDecrypt()
if err != nil {
providerLog(logger.LevelError, "unable to decrypt TOTP secret for user %q, protocol %v, err: %v",
user.Username, protocol, err)
return "", err
}
pwd := password[0:(pwdLen - 6)]
passcode := password[(pwdLen - 6):]
match, err := mfa.ValidateTOTPPasscode(user.Filters.TOTPConfig.ConfigName, passcode,
user.Filters.TOTPConfig.Secret.GetPayload())
if !match || err != nil {
providerLog(logger.LevelWarn, "invalid passcode for user %q, protocol %v, err: %v",
user.Username, protocol, err)
return "", util.NewValidationError("invalid passcode")
}
return pwd, nil
}
}
}
return password, nil
}
func checkUserAndPubKey(user *User, pubKey []byte, isSSHCert bool) (User, string, error) {
err := user.LoadAndApplyGroupSettings()
if err != nil {
return *user, "", err
}
err = user.CheckLoginConditions()
if err != nil {
return *user, "", err
}
if isSSHCert {
return *user, "", nil
}
if len(user.PublicKeys) == 0 {
return *user, "", ErrInvalidCredentials
}
for idx, key := range user.PublicKeys {
storedKey, comment, _, _, err := ssh.ParseAuthorizedKey(util.StringToBytes(key))
if err != nil {
providerLog(logger.LevelError, "error parsing stored public key %d for user %s: %v", idx, user.Username, err)
return *user, "", err
}
if bytes.Equal(storedKey.Marshal(), pubKey) {
return *user, fmt.Sprintf("%s:%s", ssh.FingerprintSHA256(storedKey), comment), nil
}
}
return *user, "", ErrInvalidCredentials
}
func compareDigestPasswordAndHash(user *User, password string) bool {
if strings.HasPrefix(user.Password, md5DigestPwdPrefix) {
h := md5.New()
h.Write([]byte(password))
return fmt.Sprintf("%s%x", md5DigestPwdPrefix, h.Sum(nil)) == user.Password
}
if strings.HasPrefix(user.Password, sha256DigestPwdPrefix) {
h := sha256.New()
h.Write([]byte(password))
return fmt.Sprintf("%s%x", sha256DigestPwdPrefix, h.Sum(nil)) == user.Password
}
if strings.HasPrefix(user.Password, sha512DigestPwdPrefix) {
h := sha512.New()
h.Write([]byte(password))
return fmt.Sprintf("%s%x", sha512DigestPwdPrefix, h.Sum(nil)) == user.Password
}
return false
}
func compareUnixPasswordAndHash(user *User, password string) (bool, error) {
if strings.HasPrefix(user.Password, yescryptPwdPrefix) {
return compareYescryptPassword(user.Password, password)
}
var crypter crypt.Crypter
if strings.HasPrefix(user.Password, sha512cryptPwdPrefix) {
crypter = sha512_crypt.New()
} else if strings.HasPrefix(user.Password, sha256cryptPwdPrefix) {
crypter = sha256_crypt.New()
} else if strings.HasPrefix(user.Password, md5cryptPwdPrefix) {
crypter = md5_crypt.New()
} else if strings.HasPrefix(user.Password, md5cryptApr1PwdPrefix) {
crypter = apr1_crypt.New()
} else {
return false, errors.New("unix crypt: invalid or unsupported hash format")
}
if err := crypter.Verify(user.Password, []byte(password)); err != nil {
return false, err
}
return true, nil
}
func comparePbkdf2PasswordAndHash(password, hashedPassword string) (bool, error) {
vals := strings.Split(hashedPassword, "$")
if len(vals) != 5 {
return false, fmt.Errorf("pbkdf2: hash is not in the correct format")
}
iterations, err := strconv.Atoi(vals[2])
if err != nil {
return false, err
}
expected, err := base64.StdEncoding.DecodeString(vals[4])
if err != nil {
return false, err
}
var salt []byte
if util.IsStringPrefixInSlice(hashedPassword, pbkdfPwdB64SaltPrefixes) {
salt, err = base64.StdEncoding.DecodeString(vals[3])
if err != nil {
return false, err
}
} else {
salt = []byte(vals[3])
}
var hashFunc func() hash.Hash
if strings.HasPrefix(hashedPassword, pbkdf2SHA256Prefix) || strings.HasPrefix(hashedPassword, pbkdf2SHA256B64SaltPrefix) {
hashFunc = sha256.New
} else if strings.HasPrefix(hashedPassword, pbkdf2SHA512Prefix) {
hashFunc = sha512.New
} else if strings.HasPrefix(hashedPassword, pbkdf2SHA1Prefix) {
hashFunc = sha1.New
} else {
return false, fmt.Errorf("pbkdf2: invalid or unsupported hash format %v", vals[1])
}
df := pbkdf2.Key([]byte(password), salt, iterations, len(expected), hashFunc)
return subtle.ConstantTimeCompare(df, expected) == 1, nil
}
func getSSLMode() string {
if config.Driver == PGSQLDataProviderName || config.Driver == CockroachDataProviderName {
switch config.SSLMode {
case 0:
return "disable"
case 1:
return "require"
case 2:
return "verify-ca"
case 3:
return "verify-full"
case 4:
return "prefer"
case 5:
return "allow"
}
} else if config.Driver == MySQLDataProviderName {
if config.requireCustomTLSForMySQL() {
return "custom"
}
switch config.SSLMode {
case 0:
return "false"
case 1:
return "true"
case 2:
return "skip-verify"
case 3:
return "preferred"
}
}
return ""
}
func terminateInteractiveAuthProgram(cmd *exec.Cmd, isFinished bool) {
if isFinished {
return
}
providerLog(logger.LevelInfo, "kill interactive auth program after an unexpected error")
err := cmd.Process.Kill()
if err != nil {
providerLog(logger.LevelDebug, "error killing interactive auth program: %v", err)
}
}
func sendKeyboardAuthHTTPReq(url string, request *plugin.KeyboardAuthRequest) (*plugin.KeyboardAuthResponse, error) {
reqAsJSON, err := json.Marshal(request)
if err != nil {
providerLog(logger.LevelError, "error serializing keyboard interactive auth request: %v", err)
return nil, err
}
resp, err := httpclient.Post(url, "application/json", bytes.NewBuffer(reqAsJSON))
if err != nil {
providerLog(logger.LevelError, "error getting keyboard interactive auth hook HTTP response: %v", err)
return nil, err
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return nil, fmt.Errorf("wrong keyboard interactive auth http status code: %v, expected 200", resp.StatusCode)
}
var response plugin.KeyboardAuthResponse
err = render.DecodeJSON(resp.Body, &response)
return &response, err
}
func doBuiltinKeyboardInteractiveAuth(user *User, client ssh.KeyboardInteractiveChallenge,
ip, protocol string, isPartialAuth bool,
) (int, error) {
if err := user.LoadAndApplyGroupSettings(); err != nil {
return 0, err
}
hasSecondFactor := user.Filters.TOTPConfig.Enabled && slices.Contains(user.Filters.TOTPConfig.Protocols, protocolSSH)
if !isPartialAuth || !hasSecondFactor {
answers, err := client("", "", []string{"Password: "}, []bool{false})
if err != nil {
return 0, err
}
if len(answers) != 1 {
return 0, fmt.Errorf("unexpected number of answers: %d", len(answers))
}
_, err = checkUserAndPass(user, answers[0], ip, protocol)
if err != nil {
return 0, err
}
}
return checkKeyboardInteractiveSecondFactor(user, client, protocol)
}
func checkKeyboardInteractiveSecondFactor(user *User, client ssh.KeyboardInteractiveChallenge, protocol string) (int, error) {
if !user.Filters.TOTPConfig.Enabled || !slices.Contains(user.Filters.TOTPConfig.Protocols, protocolSSH) {
return 1, nil
}
err := user.Filters.TOTPConfig.Secret.TryDecrypt()
if err != nil {
providerLog(logger.LevelError, "unable to decrypt TOTP secret for user %q, protocol %v, err: %v",
user.Username, protocol, err)
return 0, err
}
answers, err := client("", "", []string{"Authentication code: "}, []bool{false})
if err != nil {
return 0, err
}
if len(answers) != 1 {
return 0, fmt.Errorf("unexpected number of answers: %v", len(answers))
}
match, err := mfa.ValidateTOTPPasscode(user.Filters.TOTPConfig.ConfigName, answers[0],
user.Filters.TOTPConfig.Secret.GetPayload())
if !match || err != nil {
providerLog(logger.LevelWarn, "invalid passcode for user %q, protocol %v, err: %v",
user.Username, protocol, err)
return 0, util.NewValidationError("invalid passcode")
}
return 1, nil
}
func executeKeyboardInteractivePlugin(user *User, client ssh.KeyboardInteractiveChallenge, ip, protocol string) (int, error) {
authResult := 0
requestID := xid.New().String()
authStep := 1
req := &plugin.KeyboardAuthRequest{
Username: user.Username,
IP: ip,
Password: user.Password,
RequestID: requestID,
Step: authStep,
}
var response *plugin.KeyboardAuthResponse
var err error
for {
response, err = plugin.Handler.ExecuteKeyboardInteractiveStep(req)
if err != nil {
return authResult, err
}
if response.AuthResult != 0 {
return response.AuthResult, err
}
if err = response.Validate(); err != nil {
providerLog(logger.LevelInfo, "invalid response from keyboard interactive plugin: %v", err)
return authResult, err
}
answers, err := getKeyboardInteractiveAnswers(client, response, user, ip, protocol)
if err != nil {
return authResult, err
}
authStep++
req = &plugin.KeyboardAuthRequest{
RequestID: requestID,
Step: authStep,
Username: user.Username,
Password: user.Password,
Answers: answers,
Questions: response.Questions,
}
}
}
func executeKeyboardInteractiveHTTPHook(user *User, authHook string, client ssh.KeyboardInteractiveChallenge, ip, protocol string) (int, error) {
authResult := 0
requestID := xid.New().String()
authStep := 1
req := &plugin.KeyboardAuthRequest{
Username: user.Username,
IP: ip,
Password: user.Password,
RequestID: requestID,
Step: authStep,
}
var response *plugin.KeyboardAuthResponse
var err error
for {
response, err = sendKeyboardAuthHTTPReq(authHook, req)
if err != nil {
return authResult, err
}
if response.AuthResult != 0 {
return response.AuthResult, err
}
if err = response.Validate(); err != nil {
providerLog(logger.LevelInfo, "invalid response from keyboard interactive http hook: %v", err)
return authResult, err
}
answers, err := getKeyboardInteractiveAnswers(client, response, user, ip, protocol)
if err != nil {
return authResult, err
}
authStep++
req = &plugin.KeyboardAuthRequest{
RequestID: requestID,
Step: authStep,
Username: user.Username,
Password: user.Password,
Answers: answers,
Questions: response.Questions,
}
}
}
func getKeyboardInteractiveAnswers(client ssh.KeyboardInteractiveChallenge, response *plugin.KeyboardAuthResponse,
user *User, ip, protocol string,
) ([]string, error) {
questions := response.Questions
answers, err := client("", response.Instruction, questions, response.Echos)
if err != nil {
providerLog(logger.LevelInfo, "error getting interactive auth client response: %v", err)
return answers, err
}
if len(answers) != len(questions) {
err = fmt.Errorf("client answers does not match questions, expected: %v actual: %v", questions, answers)
providerLog(logger.LevelInfo, "keyboard interactive auth error: %v", err)
return answers, err
}
if len(answers) == 1 && response.CheckPwd > 0 {
if response.CheckPwd == 2 {
if !user.Filters.TOTPConfig.Enabled || !slices.Contains(user.Filters.TOTPConfig.Protocols, protocolSSH) {
providerLog(logger.LevelInfo, "keyboard interactive auth error: unable to check TOTP passcode, TOTP is not enabled for user %q",
user.Username)
return answers, errors.New("TOTP not enabled for SSH protocol")
}
err := user.Filters.TOTPConfig.Secret.TryDecrypt()
if err != nil {
providerLog(logger.LevelError, "unable to decrypt TOTP secret for user %q, protocol %v, err: %v",
user.Username, protocol, err)
return answers, fmt.Errorf("unable to decrypt TOTP secret: %w", err)
}
match, err := mfa.ValidateTOTPPasscode(user.Filters.TOTPConfig.ConfigName, answers[0],
user.Filters.TOTPConfig.Secret.GetPayload())
if !match || err != nil {
providerLog(logger.LevelInfo, "keyboard interactive auth error: unable to validate passcode for user %q, match? %v, err: %v",
user.Username, match, err)
return answers, errors.New("unable to validate TOTP passcode")
}
} else {
_, err = checkUserAndPass(user, answers[0], ip, protocol)
providerLog(logger.LevelInfo, "interactive auth hook requested password validation for user %q, validation error: %v",
user.Username, err)
if err != nil {
return answers, err
}
}
answers[0] = "OK"
}
return answers, err
}
func handleProgramInteractiveQuestions(client ssh.KeyboardInteractiveChallenge, response *plugin.KeyboardAuthResponse,
user *User, stdin io.WriteCloser, ip, protocol string,
) error {
answers, err := getKeyboardInteractiveAnswers(client, response, user, ip, protocol)
if err != nil {
return err
}
for _, answer := range answers {
if runtime.GOOS == "windows" {
answer += "\r"
}
answer += "\n"
_, err = stdin.Write([]byte(answer))
if err != nil {
providerLog(logger.LevelError, "unable to write client answer to keyboard interactive program: %v", err)
return err
}
}
return nil
}
func executeKeyboardInteractiveProgram(user *User, authHook string, client ssh.KeyboardInteractiveChallenge, ip, protocol string) (int, error) {
authResult := 0
timeout, env, args := command.GetConfig(authHook, command.HookKeyboardInteractive)
ctx, cancel := context.WithTimeout(context.Background(), timeout)
defer cancel()
cmd := exec.CommandContext(ctx, authHook, args...)
cmd.Env = append(env,
fmt.Sprintf("SFTPGO_AUTHD_USERNAME=%s", user.Username),
fmt.Sprintf("SFTPGO_AUTHD_IP=%s", ip),
fmt.Sprintf("SFTPGO_AUTHD_PASSWORD=%s", user.Password))
stdout, err := cmd.StdoutPipe()
if err != nil {
return authResult, err
}
stdin, err := cmd.StdinPipe()
if err != nil {
return authResult, err
}
err = cmd.Start()
if err != nil {
return authResult, err
}
var once sync.Once
scanner := bufio.NewScanner(stdout)
for scanner.Scan() {
var response plugin.KeyboardAuthResponse
err = json.Unmarshal(scanner.Bytes(), &response)
if err != nil {
providerLog(logger.LevelInfo, "interactive auth error parsing response: %v", err)
once.Do(func() { terminateInteractiveAuthProgram(cmd, false) })
break
}
if response.AuthResult != 0 {
authResult = response.AuthResult
break
}
if err = response.Validate(); err != nil {
providerLog(logger.LevelInfo, "invalid response from keyboard interactive program: %v", err)
once.Do(func() { terminateInteractiveAuthProgram(cmd, false) })
break
}
go func() {
err := handleProgramInteractiveQuestions(client, &response, user, stdin, ip, protocol)
if err != nil {
once.Do(func() { terminateInteractiveAuthProgram(cmd, false) })
}
}()
}
stdin.Close()
once.Do(func() { terminateInteractiveAuthProgram(cmd, true) })
go func() {
_, err := cmd.Process.Wait()
if err != nil {
providerLog(logger.LevelWarn, "error waiting for %q process to exit: %v", authHook, err)
}
}()
return authResult, err
}
func doKeyboardInteractiveAuth(user *User, authHook string, client ssh.KeyboardInteractiveChallenge,
ip, protocol string, isPartialAuth bool,
) (User, error) {
if err := user.LoadAndApplyGroupSettings(); err != nil {
return *user, err
}
var authResult int
var err error
if !user.Filters.Hooks.ExternalAuthDisabled {
if plugin.Handler.HasAuthScope(plugin.AuthScopeKeyboardInteractive) {
authResult, err = executeKeyboardInteractivePlugin(user, client, ip, protocol)
if authResult == 1 && err == nil {
authResult, err = checkKeyboardInteractiveSecondFactor(user, client, protocol)
}
} else if authHook != "" {
if strings.HasPrefix(authHook, "http") {
authResult, err = executeKeyboardInteractiveHTTPHook(user, authHook, client, ip, protocol)
} else {
authResult, err = executeKeyboardInteractiveProgram(user, authHook, client, ip, protocol)
}
} else {
authResult, err = doBuiltinKeyboardInteractiveAuth(user, client, ip, protocol, isPartialAuth)
}
} else {
authResult, err = doBuiltinKeyboardInteractiveAuth(user, client, ip, protocol, isPartialAuth)
}
if err != nil {
return *user, err
}
if authResult != 1 {
return *user, fmt.Errorf("keyboard interactive auth failed, result: %v", authResult)
}
err = user.CheckLoginConditions()
if err != nil {
return *user, err
}
return *user, nil
}
func isCheckPasswordHookDefined(protocol string) bool {
if config.CheckPasswordHook == "" {
return false
}
if config.CheckPasswordScope == 0 {
return true
}
switch protocol {
case protocolSSH:
return config.CheckPasswordScope&1 != 0
case protocolFTP:
return config.CheckPasswordScope&2 != 0
case protocolWebDAV:
return config.CheckPasswordScope&4 != 0
default:
return false
}
}
func getPasswordHookResponse(username, password, ip, protocol string) ([]byte, error) {
if strings.HasPrefix(config.CheckPasswordHook, "http") {
var result []byte
req := checkPasswordRequest{
Username: username,
Password: password,
IP: ip,
Protocol: protocol,
}
reqAsJSON, err := json.Marshal(req)
if err != nil {
return result, err
}
resp, err := httpclient.Post(config.CheckPasswordHook, "application/json", bytes.NewBuffer(reqAsJSON))
if err != nil {
providerLog(logger.LevelError, "error getting check password hook response: %v", err)
return result, err
}
defer resp.Body.Close()
if resp.StatusCode != http.StatusOK {
return result, fmt.Errorf("wrong http status code from chek password hook: %v, expected 200", resp.StatusCode)
}
return io.ReadAll(io.LimitReader(resp.Body, maxHookResponseSize))
}
timeout, env, args := command.GetConfig(config.CheckPasswordHook, command.HookCheckPassword)
ctx, cancel := context.WithTimeout(context.Background(), timeout)
defer cancel()
cmd := exec.CommandContext(ctx, config.CheckPasswordHook, args...)
cmd.Env = append(env,
fmt.Sprintf("SFTPGO_AUTHD_USERNAME=%s", username),
fmt.Sprintf("SFTPGO_AUTHD_PASSWORD=%s", password),
fmt.Sprintf("SFTPGO_AUTHD_IP=%s", ip),
fmt.Sprintf("SFTPGO_AUTHD_PROTOCOL=%s", protocol),
)
return cmd.Output()
}
func executeCheckPasswordHook(username, password, ip, protocol string) (checkPasswordResponse, error) {
var response checkPasswordResponse
if !isCheckPasswordHookDefined(protocol) {
response.Status = -1
return response, nil
}
startTime := time.Now()
out, err := getPasswordHookResponse(username, password, ip, protocol)
providerLog(logger.LevelDebug, "check password hook executed, error: %v, elapsed: %v", err, time.Since(startTime))
if err != nil {
return response, err
}
err = json.Unmarshal(out, &response)
return response, err
}
func getPreLoginHookResponse(loginMethod, ip, protocol string, userAsJSON []byte) ([]byte, error) {
if strings.HasPrefix(config.PreLoginHook, "http") {
var url *url.URL
var result []byte
url, err := url.Parse(config.PreLoginHook)
if err != nil {
providerLog(logger.LevelError, "invalid url for pre-login hook %q, error: %v", config.PreLoginHook, err)
return result, err
}
q := url.Query()
q.Add("login_method", loginMethod)
q.Add("ip", ip)
q.Add("protocol", protocol)
url.RawQuery = q.Encode()
resp, err := httpclient.Post(url.String(), "application/json", bytes.NewBuffer(userAsJSON))
if err != nil {
providerLog(logger.LevelWarn, "error getting pre-login hook response: %v", err)
return result, err
}
defer resp.Body.Close()
if resp.StatusCode == http.StatusNoContent {
return result, nil
}
if resp.StatusCode != http.StatusOK {
return result, fmt.Errorf("wrong pre-login hook http status code: %v, expected 200", resp.StatusCode)
}
return io.ReadAll(io.LimitReader(resp.Body, maxHookResponseSize))
}
timeout, env, args := command.GetConfig(config.PreLoginHook, command.HookPreLogin)
ctx, cancel := context.WithTimeout(context.Background(), timeout)
defer cancel()
cmd := exec.CommandContext(ctx, config.PreLoginHook, args...)
cmd.Env = append(env,
fmt.Sprintf("SFTPGO_LOGIND_USER=%s", util.BytesToString(userAsJSON)),
fmt.Sprintf("SFTPGO_LOGIND_METHOD=%s", loginMethod),
fmt.Sprintf("SFTPGO_LOGIND_IP=%s", ip),
fmt.Sprintf("SFTPGO_LOGIND_PROTOCOL=%s", protocol),
)
return cmd.Output()
}
func executePreLoginHook(username, loginMethod, ip, protocol string, oidcTokenFields *map[string]any) (User, error) {
u, mergedUser, userAsJSON, err := getUserAndJSONForHook(username, oidcTokenFields)
if err != nil {
return u, err
}
if mergedUser.Filters.Hooks.PreLoginDisabled {
return u, nil
}
startTime := time.Now()
out, err := getPreLoginHookResponse(loginMethod, ip, protocol, userAsJSON)
if err != nil {
return u, fmt.Errorf("pre-login hook error: %v, username %q, ip %v, protocol %v elapsed %v",
err, username, ip, protocol, time.Since(startTime))
}
providerLog(logger.LevelDebug, "pre-login hook completed, elapsed: %s", time.Since(startTime))
if util.IsByteArrayEmpty(out) {
providerLog(logger.LevelDebug, "empty response from pre-login hook, no modification requested for user %q id: %d",
username, u.ID)
if u.ID == 0 {
return u, util.NewRecordNotFoundError(fmt.Sprintf("username %q does not exist", username))
}
return u, nil
}
userID := u.ID
userUsedQuotaSize := u.UsedQuotaSize
userUsedQuotaFiles := u.UsedQuotaFiles
userUsedDownloadTransfer := u.UsedDownloadDataTransfer
userUsedUploadTransfer := u.UsedUploadDataTransfer
userLastQuotaUpdate := u.LastQuotaUpdate
userLastLogin := u.LastLogin
userFirstDownload := u.FirstDownload
userFirstUpload := u.FirstUpload
userLastPwdChange := u.LastPasswordChange
userCreatedAt := u.CreatedAt
totpConfig := u.Filters.TOTPConfig
recoveryCodes := u.Filters.RecoveryCodes
err = json.Unmarshal(out, &u)
if err != nil {
return u, fmt.Errorf("invalid pre-login hook response %q, error: %v", util.BytesToString(out), err)
}
u.ID = userID
u.UsedQuotaSize = userUsedQuotaSize
u.UsedQuotaFiles = userUsedQuotaFiles
u.UsedUploadDataTransfer = userUsedUploadTransfer
u.UsedDownloadDataTransfer = userUsedDownloadTransfer
u.LastQuotaUpdate = userLastQuotaUpdate
u.LastLogin = userLastLogin
u.LastPasswordChange = userLastPwdChange
u.FirstDownload = userFirstDownload
u.FirstUpload = userFirstUpload
u.CreatedAt = userCreatedAt
if userID == 0 {
err = provider.addUser(&u)
} else {
u.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())
// preserve TOTP config and recovery codes
u.Filters.TOTPConfig = totpConfig
u.Filters.RecoveryCodes = recoveryCodes
err = provider.updateUser(&u)
if err == nil {
webDAVUsersCache.swap(&u, "")
}
}
if err != nil {
return u, err
}
providerLog(logger.LevelDebug, "user %q added/updated from pre-login hook response, id: %d", username, userID)
if userID == 0 {
return provider.userExists(username, "")
}
return u, nil
}
// ExecutePostLoginHook executes the post login hook if defined
func ExecutePostLoginHook(user *User, loginMethod, ip, protocol string, err error) {
if config.PostLoginHook == "" {
return
}
if config.PostLoginScope == 1 && err == nil {
return
}
if config.PostLoginScope == 2 && err != nil {
return
}
go func() {
actionsConcurrencyGuard <- struct{}{}
defer func() {
<-actionsConcurrencyGuard
}()
status := "0"
if err == nil {
status = "1"
}
user.PrepareForRendering()
userAsJSON, err := json.Marshal(user)
if err != nil {
providerLog(logger.LevelError, "error serializing user in post login hook: %v", err)
return
}
if strings.HasPrefix(config.PostLoginHook, "http") {
var url *url.URL
url, err := url.Parse(config.PostLoginHook)
if err != nil {
providerLog(logger.LevelDebug, "Invalid post-login hook %q", config.PostLoginHook)
return
}
q := url.Query()
q.Add("login_method", loginMethod)
q.Add("ip", ip)
q.Add("protocol", protocol)
q.Add("status", status)
url.RawQuery = q.Encode()
startTime := time.Now()
respCode := 0
resp, err := httpclient.RetryablePost(url.String(), "application/json", bytes.NewBuffer(userAsJSON))
if err == nil {
respCode = resp.StatusCode
resp.Body.Close()
}
providerLog(logger.LevelDebug, "post login hook executed for user %q, ip %v, protocol %v, response code: %v, elapsed: %v err: %v",
user.Username, ip, protocol, respCode, time.Since(startTime), err)
return
}
timeout, env, args := command.GetConfig(config.PostLoginHook, command.HookPostLogin)
ctx, cancel := context.WithTimeout(context.Background(), timeout)
defer cancel()
cmd := exec.CommandContext(ctx, config.PostLoginHook, args...)
cmd.Env = append(env,
fmt.Sprintf("SFTPGO_LOGIND_USER=%s", util.BytesToString(userAsJSON)),
fmt.Sprintf("SFTPGO_LOGIND_IP=%s", ip),
fmt.Sprintf("SFTPGO_LOGIND_METHOD=%s", loginMethod),
fmt.Sprintf("SFTPGO_LOGIND_STATUS=%s", status),
fmt.Sprintf("SFTPGO_LOGIND_PROTOCOL=%s", protocol))
startTime := time.Now()
err = cmd.Run()
providerLog(logger.LevelDebug, "post login hook executed for user %q, ip %v, protocol %v, elapsed %v err: %v",
user.Username, ip, protocol, time.Since(startTime), err)
}()
}
func getExternalAuthResponse(username, password, pkey, keyboardInteractive, ip, protocol string, cert *x509.Certificate,
user User,
) ([]byte, error) {
var tlsCert string
if cert != nil {
var err error
tlsCert, err = util.EncodeTLSCertToPem(cert)
if err != nil {
return nil, err
}
}
if strings.HasPrefix(config.ExternalAuthHook, "http") {
var result []byte
authRequest := make(map[string]any)
authRequest["username"] = username
authRequest["ip"] = ip
authRequest["password"] = password
authRequest["public_key"] = pkey
authRequest["protocol"] = protocol
authRequest["keyboard_interactive"] = keyboardInteractive
authRequest["tls_cert"] = tlsCert
if user.ID > 0 {
authRequest["user"] = user
}
authRequestAsJSON, err := json.Marshal(authRequest)
if err != nil {
providerLog(logger.LevelError, "error serializing external auth request: %v", err)
return result, err
}
resp, err := httpclient.Post(config.ExternalAuthHook, "application/json", bytes.NewBuffer(authRequestAsJSON))
if err != nil {
providerLog(logger.LevelWarn, "error getting external auth hook HTTP response: %v", err)
return result, err
}
defer resp.Body.Close()
providerLog(logger.LevelDebug, "external auth hook executed, response code: %v", resp.StatusCode)
if resp.StatusCode != http.StatusOK {
return result, fmt.Errorf("wrong external auth http status code: %v, expected 200", resp.StatusCode)
}
return io.ReadAll(io.LimitReader(resp.Body, maxHookResponseSize))
}
var userAsJSON []byte
var err error
if user.ID > 0 {
userAsJSON, err = json.Marshal(user)
if err != nil {
return nil, fmt.Errorf("unable to serialize user as JSON: %w", err)
}
}
timeout, env, args := command.GetConfig(config.ExternalAuthHook, command.HookExternalAuth)
ctx, cancel := context.WithTimeout(context.Background(), timeout)
defer cancel()
cmd := exec.CommandContext(ctx, config.ExternalAuthHook, args...)
cmd.Env = append(env,
fmt.Sprintf("SFTPGO_AUTHD_USERNAME=%s", username),
fmt.Sprintf("SFTPGO_AUTHD_USER=%s", util.BytesToString(userAsJSON)),
fmt.Sprintf("SFTPGO_AUTHD_IP=%s", ip),
fmt.Sprintf("SFTPGO_AUTHD_PASSWORD=%s", password),
fmt.Sprintf("SFTPGO_AUTHD_PUBLIC_KEY=%s", pkey),
fmt.Sprintf("SFTPGO_AUTHD_PROTOCOL=%s", protocol),
fmt.Sprintf("SFTPGO_AUTHD_TLS_CERT=%s", strings.ReplaceAll(tlsCert, "\n", "\\n")),
fmt.Sprintf("SFTPGO_AUTHD_KEYBOARD_INTERACTIVE=%v", keyboardInteractive))
return cmd.Output()
}
func updateUserFromExtAuthResponse(user *User, password, pkey string) {
if password != "" {
user.Password = password
}
if pkey != "" && !util.IsStringPrefixInSlice(pkey, user.PublicKeys) {
user.PublicKeys = append(user.PublicKeys, pkey)
}
user.LastPasswordChange = 0
}
func checkPasswordAfterEmptyExtAuthResponse(user *User, plainPwd, protocol string) error {
if plainPwd == "" {
return nil
}
match, err := isPasswordOK(user, plainPwd)
if match && err == nil {
return nil
}
hashedPwd, err := hashPlainPassword(plainPwd)
if err != nil {
providerLog(logger.LevelError, "unable to hash password for user %q after empty external response: %v",
user.Username, err)
return err
}
err = provider.updateUserPassword(user.Username, hashedPwd)
if err != nil {
providerLog(logger.LevelError, "unable to update password for user %q after empty external response: %v",
user.Username, err)
}
user.Password = hashedPwd
cachedUserPasswords.Add(user.Username, plainPwd, user.Password)
if protocol != protocolWebDAV {
webDAVUsersCache.swap(user, plainPwd)
}
providerLog(logger.LevelDebug, "updated password for user %q after empty external auth response", user.Username)
return nil
}
func doExternalAuth(username, password string, pubKey []byte, keyboardInteractive, ip, protocol string,
tlsCert *x509.Certificate,
) (User, error) {
var user User
u, mergedUser, err := getUserForHook(username, nil)
if err != nil {
return user, err
}
if mergedUser.skipExternalAuth() {
return u, nil
}
pkey, err := util.GetSSHPublicKeyAsString(pubKey)
if err != nil {
return user, err
}
startTime := time.Now()
out, err := getExternalAuthResponse(username, password, pkey, keyboardInteractive, ip, protocol, tlsCert, u)
if err != nil {
return user, fmt.Errorf("external auth error for user %q, elapsed: %s: %w", username, time.Since(startTime), err)
}
providerLog(logger.LevelDebug, "external auth completed for user %q, elapsed: %s", username, time.Since(startTime))
if util.IsByteArrayEmpty(out) {
providerLog(logger.LevelDebug, "empty response from external hook, no modification requested for user %q, id: %d",
username, u.ID)
if u.ID == 0 {
return u, util.NewRecordNotFoundError(fmt.Sprintf("username %q does not exist", username))
}
err = checkPasswordAfterEmptyExtAuthResponse(&u, password, protocol)
return u, err
}
err = json.Unmarshal(out, &user)
if err != nil {
return user, fmt.Errorf("invalid external auth response: %v", err)
}
// an empty username means authentication failure
if user.Username == "" {
return user, ErrInvalidCredentials
}
updateUserFromExtAuthResponse(&user, password, pkey)
// some users want to map multiple login usernames with a single SFTPGo account
// for example an SFTP user logins using "user1" or "user2" and the external auth
// returns "user" in both cases, so we use the username returned from
// external auth and not the one used to login
if user.Username != username {
u, err = provider.userExists(user.Username, "")
}
if u.ID > 0 && err == nil {
user.ID = u.ID
user.UsedQuotaSize = u.UsedQuotaSize
user.UsedQuotaFiles = u.UsedQuotaFiles
user.UsedUploadDataTransfer = u.UsedUploadDataTransfer
user.UsedDownloadDataTransfer = u.UsedDownloadDataTransfer
user.LastQuotaUpdate = u.LastQuotaUpdate
user.LastLogin = u.LastLogin
user.LastPasswordChange = u.LastPasswordChange
user.FirstDownload = u.FirstDownload
user.FirstUpload = u.FirstUpload
user.CreatedAt = u.CreatedAt
user.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())
// preserve TOTP config and recovery codes
user.Filters.TOTPConfig = u.Filters.TOTPConfig
user.Filters.RecoveryCodes = u.Filters.RecoveryCodes
user, err = updateUserAfterExternalAuth(&user)
if err == nil {
if protocol != protocolWebDAV {
webDAVUsersCache.swap(&user, password)
}
cachedUserPasswords.Add(user.Username, password, user.Password)
executeAction(operationUpdate, ActionExecutorSelf, "", actionObjectUser, user.Username, "", &user)
}
return user, err
}
err = provider.addUser(&user)
if err != nil {
return user, err
}
executeAction(operationAdd, ActionExecutorSelf, "", actionObjectUser, user.Username, "", &user)
return provider.userExists(user.Username, "")
}
func doPluginAuth(username, password string, pubKey []byte, ip, protocol string,
tlsCert *x509.Certificate, authScope int,
) (User, error) {
var user User
u, mergedUser, userAsJSON, err := getUserAndJSONForHook(username, nil)
if err != nil {
return user, err
}
if mergedUser.skipExternalAuth() {
return u, nil
}
pkey, err := util.GetSSHPublicKeyAsString(pubKey)
if err != nil {
return user, err
}
startTime := time.Now()
out, err := plugin.Handler.Authenticate(username, password, ip, protocol, pkey, tlsCert, authScope, userAsJSON)
if err != nil {
return user, fmt.Errorf("plugin auth error for user %q: %v, elapsed: %v, auth scope: %d",
username, err, time.Since(startTime), authScope)
}
providerLog(logger.LevelDebug, "plugin auth completed for user %q, elapsed: %v, auth scope: %d",
username, time.Since(startTime), authScope)
if util.IsByteArrayEmpty(out) {
providerLog(logger.LevelDebug, "empty response from plugin auth, no modification requested for user %q id: %d, auth scope: %d",
username, u.ID, authScope)
if u.ID == 0 {
return u, util.NewRecordNotFoundError(fmt.Sprintf("username %q does not exist", username))
}
err = checkPasswordAfterEmptyExtAuthResponse(&u, password, protocol)
return u, err
}
err = json.Unmarshal(out, &user)
if err != nil {
return user, fmt.Errorf("invalid plugin auth response: %v", err)
}
updateUserFromExtAuthResponse(&user, password, pkey)
if u.ID > 0 {
user.ID = u.ID
user.UsedQuotaSize = u.UsedQuotaSize
user.UsedQuotaFiles = u.UsedQuotaFiles
user.UsedUploadDataTransfer = u.UsedUploadDataTransfer
user.UsedDownloadDataTransfer = u.UsedDownloadDataTransfer
user.LastQuotaUpdate = u.LastQuotaUpdate
user.LastLogin = u.LastLogin
user.LastPasswordChange = u.LastPasswordChange
user.FirstDownload = u.FirstDownload
user.FirstUpload = u.FirstUpload
// preserve TOTP config and recovery codes
user.Filters.TOTPConfig = u.Filters.TOTPConfig
user.Filters.RecoveryCodes = u.Filters.RecoveryCodes
user, err = updateUserAfterExternalAuth(&user)
if err == nil {
if protocol != protocolWebDAV {
webDAVUsersCache.swap(&user, password)
}
cachedUserPasswords.Add(user.Username, password, user.Password)
executeAction(operationUpdate, ActionExecutorSelf, "", actionObjectUser, user.Username, "", &user)
}
return user, err
}
err = provider.addUser(&user)
if err != nil {
return user, err
}
executeAction(operationAdd, ActionExecutorSelf, "", actionObjectUser, user.Username, "", &user)
return provider.userExists(user.Username, "")
}
func updateUserAfterExternalAuth(user *User) (User, error) {
if err := provider.updateUser(user); err != nil {
return *user, err
}
return provider.userExists(user.Username, "")
}
func getUserForHook(username string, oidcTokenFields *map[string]any) (User, User, error) {
u, err := provider.userExists(username, "")
if err != nil {
if !errors.Is(err, util.ErrNotFound) {
return u, u, err
}
u = User{
BaseUser: sdk.BaseUser{
ID: 0,
Username: username,
},
}
}
mergedUser := u.getACopy()
err = mergedUser.LoadAndApplyGroupSettings()
if err != nil {
return u, mergedUser, err
}
u.OIDCCustomFields = oidcTokenFields
return u, mergedUser, err
}
func getUserAndJSONForHook(username string, oidcTokenFields *map[string]any) (User, User, []byte, error) {
u, mergedUser, err := getUserForHook(username, oidcTokenFields)
if err != nil {
return u, mergedUser, nil, err
}
userAsJSON, err := json.Marshal(u)
if err != nil {
return u, mergedUser, userAsJSON, err
}
return u, mergedUser, userAsJSON, err
}
func isLastActivityRecent(lastActivity int64, minDelay time.Duration) bool {
lastActivityTime := util.GetTimeFromMsecSinceEpoch(lastActivity)
diff := -time.Until(lastActivityTime)
if diff < -10*time.Second {
return false
}
return diff < minDelay
}
func isExternalAuthConfigured(loginMethod string) bool {
if config.ExternalAuthHook != "" {
if config.ExternalAuthScope == 0 {
return true
}
switch loginMethod {
case LoginMethodPassword:
return config.ExternalAuthScope&1 != 0
case LoginMethodTLSCertificate:
return config.ExternalAuthScope&8 != 0
case LoginMethodTLSCertificateAndPwd:
return config.ExternalAuthScope&1 != 0 || config.ExternalAuthScope&8 != 0
}
}
switch loginMethod {
case LoginMethodPassword:
return plugin.Handler.HasAuthScope(plugin.AuthScopePassword)
case LoginMethodTLSCertificate:
return plugin.Handler.HasAuthScope(plugin.AuthScopeTLSCertificate)
case LoginMethodTLSCertificateAndPwd:
return plugin.Handler.HasAuthScope(plugin.AuthScopePassword) ||
plugin.Handler.HasAuthScope(plugin.AuthScopeTLSCertificate)
default:
return false
}
}
func getConfigPath(name, configDir string) string {
if !util.IsFileInputValid(name) {
return ""
}
if name != "" && !filepath.IsAbs(name) {
return filepath.Join(configDir, name)
}
return name
}
func checkReservedUsernames(username string) error {
if slices.Contains(reservedUsers, username) {
return util.NewValidationError("this username is reserved")
}
return nil
}
func providerLog(level logger.LogLevel, format string, v ...any) {
logger.Log(level, logSender, "", format, v...)
}
Reference in a new issue View git blame Copy permalink