mirror of
https://github.com/drakkan/sftpgo.git
synced 2024-11-21 15:10:23 +00:00
433d45ed87
Some checks failed
Code scanning - action / CodeQL-Build (push) Has been cancelled
CI / Test and deploy (1.22, macos-latest, true) (push) Has been cancelled
CI / Test and deploy (1.22, ubuntu-latest, true) (push) Has been cancelled
CI / Test and deploy (1.22, windows-latest, false) (push) Has been cancelled
CI / Test build flags (push) Has been cancelled
CI / Test with PgSQL/MySQL/Cockroach (push) Has been cancelled
CI / Build Linux packages (aarch64, ubuntu18.04, go1.22.7, arm64) (push) Has been cancelled
CI / Build Linux packages (amd64, ubuntu:18.04, go1.22.7, amd64) (push) Has been cancelled
CI / Build Linux packages (armv7, ubuntu18.04, go1.22.7, arm7) (push) Has been cancelled
CI / Build Linux packages (ppc64le, ubuntu18.04, go1.22.7, ppc64le) (push) Has been cancelled
CI / golangci-lint (push) Has been cancelled
Docker / Build (alpine, false, ubuntu-latest) (push) Has been cancelled
Docker / Build (alpine, true, ubuntu-latest) (push) Has been cancelled
Docker / Build (debian, false, ubuntu-latest) (push) Has been cancelled
Docker / Build (debian, true, ubuntu-latest) (push) Has been cancelled
Docker / Build (debian-plugins, true, ubuntu-latest) (push) Has been cancelled
Docker / Build (distroless, false, ubuntu-latest) (push) Has been cancelled
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
4069 lines
149 KiB
Go
4069 lines
149 KiB
Go
// Copyright (C) 2019 Nicola Murino
|
|
//
|
|
// This program is free software: you can redistribute it and/or modify
|
|
// it under the terms of the GNU Affero General Public License as published
|
|
// by the Free Software Foundation, version 3.
|
|
//
|
|
// This program is distributed in the hope that it will be useful,
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
// GNU Affero General Public License for more details.
|
|
//
|
|
// You should have received a copy of the GNU Affero General Public License
|
|
// along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
|
|
package httpd
|
|
|
|
import (
|
|
"bytes"
|
|
"context"
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"html/template"
|
|
"io"
|
|
"io/fs"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"net/url"
|
|
"os"
|
|
"path"
|
|
"path/filepath"
|
|
"runtime"
|
|
"strings"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/go-chi/chi/v5"
|
|
"github.com/go-chi/chi/v5/middleware"
|
|
"github.com/go-chi/jwtauth/v5"
|
|
"github.com/klauspost/compress/zip"
|
|
"github.com/lestrrat-go/jwx/v2/jwa"
|
|
"github.com/lestrrat-go/jwx/v2/jwt"
|
|
"github.com/rs/xid"
|
|
"github.com/sftpgo/sdk"
|
|
sdkkms "github.com/sftpgo/sdk/kms"
|
|
"github.com/sftpgo/sdk/plugin/notifier"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
"golang.org/x/net/html"
|
|
|
|
"github.com/drakkan/sftpgo/v2/internal/acme"
|
|
"github.com/drakkan/sftpgo/v2/internal/common"
|
|
"github.com/drakkan/sftpgo/v2/internal/dataprovider"
|
|
"github.com/drakkan/sftpgo/v2/internal/kms"
|
|
"github.com/drakkan/sftpgo/v2/internal/plugin"
|
|
"github.com/drakkan/sftpgo/v2/internal/util"
|
|
"github.com/drakkan/sftpgo/v2/internal/vfs"
|
|
)
|
|
|
|
const (
|
|
httpdCert = `-----BEGIN CERTIFICATE-----
|
|
MIICHTCCAaKgAwIBAgIUHnqw7QnB1Bj9oUsNpdb+ZkFPOxMwCgYIKoZIzj0EAwIw
|
|
RTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
|
|
dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDAyMDQwOTUzMDRaFw0zMDAyMDEw
|
|
OTUzMDRaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD
|
|
VQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwdjAQBgcqhkjOPQIBBgUrgQQA
|
|
IgNiAARCjRMqJ85rzMC998X5z761nJ+xL3bkmGVqWvrJ51t5OxV0v25NsOgR82CA
|
|
NXUgvhVYs7vNFN+jxtb2aj6Xg+/2G/BNxkaFspIVCzgWkxiz7XE4lgUwX44FCXZM
|
|
3+JeUbKjUzBRMB0GA1UdDgQWBBRhLw+/o3+Z02MI/d4tmaMui9W16jAfBgNVHSME
|
|
GDAWgBRhLw+/o3+Z02MI/d4tmaMui9W16jAPBgNVHRMBAf8EBTADAQH/MAoGCCqG
|
|
SM49BAMCA2kAMGYCMQDqLt2lm8mE+tGgtjDmtFgdOcI72HSbRQ74D5rYTzgST1rY
|
|
/8wTi5xl8TiFUyLMUsICMQC5ViVxdXbhuG7gX6yEqSkMKZICHpO8hqFwOD/uaFVI
|
|
dV4vKmHUzwK/eIx+8Ay3neE=
|
|
-----END CERTIFICATE-----`
|
|
httpdKey = `-----BEGIN EC PARAMETERS-----
|
|
BgUrgQQAIg==
|
|
-----END EC PARAMETERS-----
|
|
-----BEGIN EC PRIVATE KEY-----
|
|
MIGkAgEBBDCfMNsN6miEE3rVyUPwElfiJSWaR5huPCzUenZOfJT04GAcQdWvEju3
|
|
UM2lmBLIXpGgBwYFK4EEACKhZANiAARCjRMqJ85rzMC998X5z761nJ+xL3bkmGVq
|
|
WvrJ51t5OxV0v25NsOgR82CANXUgvhVYs7vNFN+jxtb2aj6Xg+/2G/BNxkaFspIV
|
|
CzgWkxiz7XE4lgUwX44FCXZM3+JeUbI=
|
|
-----END EC PRIVATE KEY-----`
|
|
caCRT = `-----BEGIN CERTIFICATE-----
|
|
MIIE5jCCAs6gAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDZXJ0
|
|
QXV0aDAeFw0yNDAxMTAxODEyMDRaFw0zNDAxMTAxODIxNTRaMBMxETAPBgNVBAMT
|
|
CENlcnRBdXRoMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7WHW216m
|
|
fi4uF8cx6HWf8wvAxaEWgCHTOi2MwFIzOrOtuT7xb64rkpdzx1aWetSiCrEyc3D1
|
|
v03k0Akvlz1gtnDtO64+MA8bqlTnCydZJY4cCTvDOBUYZgtMqHZzpE6xRrqQ84zh
|
|
yzjKQ5bR0st+XGfIkuhjSuf2n/ZPS37fge9j6AKzn/2uEVt33qmO85WtN3RzbSqL
|
|
CdOJ6cQ216j3la1C5+NWvzIKC7t6NE1bBGI4+tRj7B5P5MeamkkogwbExUjdHp3U
|
|
4yasvoGcCHUQDoa4Dej1faywz6JlwB6rTV4ys4aZDe67V/Q8iB2May1k7zBz1Ztb
|
|
KF5Em3xewP1LqPEowF1uc4KtPGcP4bxdaIpSpmObcn8AIfH6smLQrn0C3cs7CYfo
|
|
NlFuTbwzENUhjz0X6EsoM4w4c87lO+dRNR7YpHLqR/BJTbbyXUB0imne1u00fuzb
|
|
S7OtweiA9w7DRCkr2gU4lmHe7l0T+SA9pxIeVLb78x7ivdyXSF5LVQJ1JvhhWu6i
|
|
M6GQdLHat/0fpRFUbEe34RQSDJ2eOBifMJqvsvpBP8d2jcRZVUVrSXGc2mAGuGOY
|
|
/tmnCJGW8Fd+sgpCVAqM0pxCM+apqrvJYUqqQZ2ZxugCXULtRWJ9p4C9zUl40HEy
|
|
OQ+AaiiwFll/doXELglcJdNg8AZPGhugfxMCAwEAAaNFMEMwDgYDVR0PAQH/BAQD
|
|
AgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFNoJhIvDZQrEf/VQbWuu
|
|
XgNnt2m5MA0GCSqGSIb3DQEBCwUAA4ICAQCYhT5SRqk19hGrQ09hVSZOzynXAa5F
|
|
sYkEWJzFyLg9azhnTPE1bFM18FScnkd+dal6mt+bQiJvdh24NaVkDghVB7GkmXki
|
|
pAiZwEDHMqtbhiPxY8LtSeCBAz5JqXVU2Q0TpAgNSH4W7FbGWNThhxcJVOoIrXKE
|
|
jbzhwl1Etcaf0DBKWliUbdlxQQs65DLy+rNBYtOeK0pzhzn1vpehUlJ4eTFzP9KX
|
|
y2Mksuq9AspPbqnqpWW645MdTxMb5T57MCrY3GDKw63z5z3kz88LWJF3nOxZmgQy
|
|
WFUhbLmZm7x6N5eiu6Wk8/B4yJ/n5UArD4cEP1i7nqu+mbbM/SZlq1wnGpg/sbRV
|
|
oUF+a7pRcSbfxEttle4pLFhS+ErKatjGcNEab2OlU3bX5UoBs+TYodnCWGKOuBKV
|
|
L/CYc65QyeYZ+JiwYn9wC8YkzOnnVIQjiCEkLgSL30h9dxpnTZDLrdAA8ItelDn5
|
|
DvjuQq58CGDsaVqpSobiSC1DMXYWot4Ets1wwovUNEq1l0MERB+2olE+JU/8E23E
|
|
eL1/aA7Kw/JibkWz1IyzClpFDKXf6kR2onJyxerdwUL+is7tqYFLysiHxZDL1bli
|
|
SXbW8hMa5gvo0IilFP9Rznn8PplIfCsvBDVv6xsRr5nTAFtwKaMBVgznE2ghs69w
|
|
kK8u1YiiVenmoQ==
|
|
-----END CERTIFICATE-----`
|
|
caKey = `-----BEGIN RSA PRIVATE KEY-----
|
|
MIIJKgIBAAKCAgEA7WHW216mfi4uF8cx6HWf8wvAxaEWgCHTOi2MwFIzOrOtuT7x
|
|
b64rkpdzx1aWetSiCrEyc3D1v03k0Akvlz1gtnDtO64+MA8bqlTnCydZJY4cCTvD
|
|
OBUYZgtMqHZzpE6xRrqQ84zhyzjKQ5bR0st+XGfIkuhjSuf2n/ZPS37fge9j6AKz
|
|
n/2uEVt33qmO85WtN3RzbSqLCdOJ6cQ216j3la1C5+NWvzIKC7t6NE1bBGI4+tRj
|
|
7B5P5MeamkkogwbExUjdHp3U4yasvoGcCHUQDoa4Dej1faywz6JlwB6rTV4ys4aZ
|
|
De67V/Q8iB2May1k7zBz1ZtbKF5Em3xewP1LqPEowF1uc4KtPGcP4bxdaIpSpmOb
|
|
cn8AIfH6smLQrn0C3cs7CYfoNlFuTbwzENUhjz0X6EsoM4w4c87lO+dRNR7YpHLq
|
|
R/BJTbbyXUB0imne1u00fuzbS7OtweiA9w7DRCkr2gU4lmHe7l0T+SA9pxIeVLb7
|
|
8x7ivdyXSF5LVQJ1JvhhWu6iM6GQdLHat/0fpRFUbEe34RQSDJ2eOBifMJqvsvpB
|
|
P8d2jcRZVUVrSXGc2mAGuGOY/tmnCJGW8Fd+sgpCVAqM0pxCM+apqrvJYUqqQZ2Z
|
|
xugCXULtRWJ9p4C9zUl40HEyOQ+AaiiwFll/doXELglcJdNg8AZPGhugfxMCAwEA
|
|
AQKCAgEA4x0OoceG54ZrVxifqVaQd8qw3uRmUKUMIMdfuMlsdideeLO97ynmSlRY
|
|
00kGo/I4Lp6mNEjI9gUie9+uBrcUhri4YLcujHCH+YlNnCBDbGjwbe0ds9SLCWaa
|
|
KztZHMSlW5Q4Bqytgu+MpOnxSgqjlOk+vz9TcGFKVnUkHIkAcqKFJX8gOFxPZA/t
|
|
Ob1kJaz4kuv5W2Kur/ISKvQtvFvOtQeV0aJyZm8LqXnvS4cPI7yN4329NDU0HyDR
|
|
y/deqS2aqV4zII3FFqbz8zix/m1xtVQzWCugZGMKrz0iuJMfNeCABb8rRGc6GsZz
|
|
+465v/kobqgeyyneJ1s5rMFrLp2o+dwmnIVMNsFDUiN1lIZDHLvlgonaUO3IdTZc
|
|
9asamFWKFKUMgWqM4zB1vmUO12CKowLNIIKb0L+kf1ixaLLDRGf/f9vLtSHE+oyx
|
|
lATiS18VNA8+CGsHF6uXMRwf2auZdRI9+s6AAeyRISSbO1khyWKHo+bpOvmPAkDR
|
|
nknTjbYgkoZOV+mrsU5oxV8s6vMkuvA3rwFhT2gie8pokuACFcCRrZi9MVs4LmUQ
|
|
u0GYTHvp2WJUjMWBm6XX7Hk3g2HV842qpk/mdtTjNsXws81djtJPn4I/soIXSgXz
|
|
pY3SvKTuOckP9OZVF0yqKGeZXKpD288PKpC+MAg3GvEJaednagECggEBAPsfLwuP
|
|
L1kiDjXyMcRoKlrQ6Q/zBGyBmJbZ5uVGa02+XtYtDAzLoVupPESXL0E7+r8ZpZ39
|
|
0dV4CEJKpbVS/BBtTEkPpTK5kz778Ib04TAyj+YLhsZjsnuja3T5bIBZXFDeDVDM
|
|
0ZaoFoKpIjTu2aO6pzngsgXs6EYbo2MTuJD3h0nkGZsICL7xvT9Mw0P1p2Ftt/hN
|
|
+jKk3vN220wTWUsq43AePi45VwK+PNP12ZXv9HpWDxlPo3j0nXtgYXittYNAT92u
|
|
BZbFAzldEIX9WKKZgsWtIzLaASjVRntpxDCTby/nlzQ5dw3DHU1DV3PIqxZS2+Oe
|
|
KV+7XFWgZ44YjYECggEBAPH+VDu3QSrqSahkZLkgBtGRkiZPkZFXYvU6kL8qf5wO
|
|
Z/uXMeqHtznAupLea8I4YZLfQim/NfC0v1cAcFa9Ckt9g3GwTSirVcN0AC1iOyv3
|
|
/hMZCA1zIyIcuUplNr8qewoX71uPOvCNH0dix77423mKFkJmNwzy4Q+rV+qkRdLn
|
|
v+AAgh7g5N91pxNd6LQJjoyfi1Ka6rRP2yGXM5v7QOwD16eN4JmExUxX1YQ7uNuX
|
|
pVS+HRxnBquA+3/DB1LtBX6pa2cUa+LRUmE/NCPHMvJcyuNkYpJKlNTd9vnbfo0H
|
|
RNSJSWm+aGxDFMjuPjV3JLj2OdKMPwpnXdh2vBZCPpMCggEAM+yTvrEhmi2HgLIO
|
|
hkz/jP2rYyfdn04ArhhqPLgd0dpuI5z24+Jq/9fzZT9ZfwSW6VK1QwDLlXcXRhXH
|
|
Q8Hf6smev3CjuORURO61IkKaGWwrAucZPAY7ToNQ4cP9ImDXzMTNPgrLv3oMBYJR
|
|
V16X09nxX+9NABqnQG/QjdjzDc6Qw7+NZ9f2bvzvI5qMuY2eyW91XbtJ45ThoLfP
|
|
ymAp03gPxQwL0WT7z85kJ3OrROxzwaPvxU0JQSZbNbqNDPXmFTiECxNDhpRAAWlz
|
|
1DC5Vg2l05fkMkyPdtD6nOQWs/CYSfB5/EtxiX/xnBszhvZUIe6KFvuKFIhaJD5h
|
|
iykagQKCAQEAoBRm8k3KbTIo4ZzvyEq4V/+dF3zBRczx6FkCkYLygXBCNvsQiR2Y
|
|
BjtI8Ijz7bnQShEoOmeDriRTAqGGrspEuiVgQ1+l2wZkKHRe/aaij/Zv+4AuhH8q
|
|
uZEYvW7w5Uqbs9SbgQzhp2kjTNy6V8lVnjPLf8cQGZ+9Y9krwktC6T5m/i435WdN
|
|
38h7amNP4XEE/F86Eb3rDrZYtgLIoCF4E+iCyxMehU+AGH1uABhls9XAB6vvo+8/
|
|
SUp8lEqWWLP0U5KNOtYWfCeOAEiIHDbUq+DYUc4BKtbtV1cx3pzlPTOWw6XBi5Lq
|
|
jttdL4HyYvnasAQpwe8GcMJqIRyCVZMiwwKCAQEAhQTTS3CC8PwcoYrpBdTjW1ck
|
|
vVFeF1YbfqPZfYxASCOtdx6wRnnEJ+bjqntagns9e88muxj9UhxSL6q9XaXQBD8+
|
|
2AmKUxphCZQiYFZcTucjQEQEI2nN+nAKgRrUSMMGiR8Ekc2iFrcxBU0dnSohw+aB
|
|
PbMKVypQCREu9PcDFIp9rXQTeElbaNsIg1C1w/SQjODbmN/QFHTVbRODYqLeX1J/
|
|
VcGsykSIq7hv6bjn7JGkr2JTdANbjk9LnMjMdJFsKRYxPKkOQfYred6Hiojp5Sor
|
|
PW5am8ejnNSPhIfqQp3uV3KhwPDKIeIpzvrB4uPfTjQWhekHCb8cKSWux3flqw==
|
|
-----END RSA PRIVATE KEY-----`
|
|
caCRL = `-----BEGIN X509 CRL-----
|
|
MIICpzCBkAIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDEwhDZXJ0QXV0aBcN
|
|
MjQwMTEwMTgyMjU4WhcNMjYwMTA5MTgyMjU4WjAkMCICEQDOaeHbjY4pEj8WBmqg
|
|
ZuRRFw0yNDAxMTAxODIyNThaoCMwITAfBgNVHSMEGDAWgBTaCYSLw2UKxH/1UG1r
|
|
rl4DZ7dpuTANBgkqhkiG9w0BAQsFAAOCAgEAZzZ4aBqCcAJigR9e/mqKpJa4B6FV
|
|
+jZmnWXolGeUuVkjdiG9w614x7mB2S768iioJyALejjCZjqsp6ydxtn0epQw4199
|
|
XSfPIxA9lxc7w79GLe0v3ztojvxDPh5V1+lwPzGf9i8AsGqb2BrcBqgxDeatndnE
|
|
jF+18bY1saXOBpukNLjtRScUXzy5YcSuO6mwz4548v+1ebpF7W4Yh+yh0zldJKcF
|
|
DouuirZWujJwTwxxfJ+2+yP7GAuefXUOhYs/1y9ylvUgvKFqSyokv6OaVgTooKYD
|
|
MSADzmNcbRvwyAC5oL2yJTVVoTFeP6fXl/BdFH3sO/hlKXGy4Wh1AjcVE6T0CSJ4
|
|
iYFX3gLFh6dbP9IQWMlIM5DKtAKSjmgOywEaWii3e4M0NFSf/Cy17p2E5/jXSLlE
|
|
ypDileK0aALkx2twGWwogh6sY1dQ6R3GpKSRPD2muQxVOG6wXvuJce0E9WLx1Ud4
|
|
hVUdUEMlKUvm77/15U5awarH2cCJQxzS/GMeIintQiG7hUlgRzRdmWVe3vOOvt94
|
|
cp8+ZUH/QSDOo41ATTHpFeC/XqF5E2G/ahXqra+O5my52V/FP0bSJnkorJ8apy67
|
|
sn6DFbkqX9khTXGtacczh2PcqVjcQjBniYl2sPO3qIrrrY3tic96tMnM/u3JRdcn
|
|
w7bXJGfJcIMrrKs=
|
|
-----END X509 CRL-----`
|
|
client1Crt = `-----BEGIN CERTIFICATE-----
|
|
MIIEITCCAgmgAwIBAgIRAJr32nHRlhyPiS7IfZ/ZWYowDQYJKoZIhvcNAQELBQAw
|
|
EzERMA8GA1UEAxMIQ2VydEF1dGgwHhcNMjQwMTEwMTgxMjM3WhcNMzQwMTEwMTgy
|
|
MTUzWjASMRAwDgYDVQQDEwdjbGllbnQxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
|
|
MIIBCgKCAQEAtuQFiqvdjd8WLxP0FgPDyDEJ1/uJ+Aoj6QllNV7svWxwW+kiJ3X6
|
|
HUVNWhhCsNfly4pGW4erF4fZzmesElGx1PoWgQCWZKsa/N08bznelWgdmkyi85xE
|
|
OkTj6e/cTWHFSOBURNJaXkGHZ0ROSh7qu0Ld+eqNo3k9W+NqZaqYvs2K7MLWeYl7
|
|
Qie8Ctuq5Qaz/jm0XwR2PFBROVQSaCPCukancPQ21ftqHPhAbjxoxvvN5QP4ZdRf
|
|
XlH/LDLhlFnJzPZdHnVy9xisSPPRfFApJiwyfjRYdtslpJOcNgP6oPlpX/dybbhO
|
|
c9FEUgj/Q90Je8EfioBYFYsqVD6/dFv9SwIDAQABo3EwbzAOBgNVHQ8BAf8EBAMC
|
|
A7gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBRUh5Xo
|
|
Gzjh6iReaPSOgGatqOw9bDAfBgNVHSMEGDAWgBTaCYSLw2UKxH/1UG1rrl4DZ7dp
|
|
uTANBgkqhkiG9w0BAQsFAAOCAgEAyAK7cOTWqjyLgFM0kyyx1fNPvm2GwKep3MuU
|
|
OrSnLuWjoxzb7WcbKNVMlnvnmSUAWuErxsY0PUJNfcuqWiGmEp4d/SWfWPigG6DC
|
|
sDej35BlSfX8FCufYrfC74VNk4yBS2LVYmIqcpqUrfay0I2oZA8+ToLEpdUvEv2I
|
|
l59eOhJO2jsC3JbOyZZmK2Kv7d94fR+1tg2Rq1Wbnmc9AZKq7KDReAlIJh4u2KHb
|
|
BbtF79idusMwZyP777tqSQ4THBMa+VAEc2UrzdZqTIAwqlKQOvO2fRz2P+ARR+Tz
|
|
MYJMdCdmPZ9qAc8U1OcFBG6qDDltO8wf/Nu/PsSI5LGCIhIuPPIuKfm0rRfTqCG7
|
|
QPQPWjRoXtGGhwjdIuWbX9fIB+c+NpAEKHgLtV+Rxj8s5IVxqG9a5TtU9VkfVXJz
|
|
J20naoz/G+vDsVINpd3kH0ziNvdrKfGRM5UgtnUOPCXB22fVmkIsMH2knI10CKK+
|
|
offI56NTkLRu00xvg98/wdukhkwIAxg6PQI/BHY5mdvoacEHHHdOhMq+GSAh7DDX
|
|
G8+HdbABM1ExkPnZLat15q706ztiuUpQv1C2DI8YviUVkMqCslj4cD4F8EFPo4kr
|
|
kvme0Cuc9Qlf7N5rjdV3cjwavhFx44dyXj9aesft2Q1okPiIqbGNpcjHcIRlj4Au
|
|
MU3Bo0A=
|
|
-----END CERTIFICATE-----`
|
|
client1Key = `-----BEGIN RSA PRIVATE KEY-----
|
|
MIIEpAIBAAKCAQEAtuQFiqvdjd8WLxP0FgPDyDEJ1/uJ+Aoj6QllNV7svWxwW+ki
|
|
J3X6HUVNWhhCsNfly4pGW4erF4fZzmesElGx1PoWgQCWZKsa/N08bznelWgdmkyi
|
|
85xEOkTj6e/cTWHFSOBURNJaXkGHZ0ROSh7qu0Ld+eqNo3k9W+NqZaqYvs2K7MLW
|
|
eYl7Qie8Ctuq5Qaz/jm0XwR2PFBROVQSaCPCukancPQ21ftqHPhAbjxoxvvN5QP4
|
|
ZdRfXlH/LDLhlFnJzPZdHnVy9xisSPPRfFApJiwyfjRYdtslpJOcNgP6oPlpX/dy
|
|
bbhOc9FEUgj/Q90Je8EfioBYFYsqVD6/dFv9SwIDAQABAoIBAFjSHK7gENVZxphO
|
|
hHg8k9ShnDo8eyDvK8l9Op3U3/yOsXKxolivvyx//7UFmz3vXDahjNHe7YScAXdw
|
|
eezbqBXa7xrvghqZzp2HhFYwMJ0210mcdncBKVFzK4ztZHxgQ0PFTqet0R19jZjl
|
|
X3A325/eNZeuBeOied4qb/24AD6JGc6A0J55f5/QUQtdwYwrL15iC/KZXDL90PPJ
|
|
CFJyrSzcXvOMEvOfXIFxhDVKRCppyIYXG7c80gtNC37I6rxxMNQ4mxjwUI2IVhxL
|
|
j+nZDu0JgRZ4NaGjOq2e79QxUVm/GG3z25XgmBFBrXkEVV+sCZE1VDyj6kQfv9FU
|
|
NhOrwGECgYEAzq47r/HwXifuGYBV/mvInFw3BNLrKry+iUZrJ4ms4g+LfOi0BAgf
|
|
sXsWXulpBo2YgYjFdO8G66f69GlB4B7iLscpABXbRtpDZEnchQpaF36/+4g3i8gB
|
|
Z29XHNDB8+7t4wbXvlSnLv1tZWey2fS4hPosc2YlvS87DMmnJMJqhs8CgYEA4oiB
|
|
LGQP6VNdX0Uigmh5fL1g1k95eC8GP1ylczCcIwsb2OkAq0MT7SHRXOlg3leEq4+g
|
|
mCHk1NdjkSYxDL2ZeTKTS/gy4p1jlcDa6Ilwi4pVvatNvu4o80EYWxRNNb1mAn67
|
|
T8TN9lzc6mEi+LepQM3nYJ3F+ZWTKgxH8uoJwMUCgYEArpumE1vbjUBAuEyi2eGn
|
|
RunlFW83fBCfDAxw5KM8anNlja5uvuU6GU/6s06QCxg+2lh5MPPrLdXpfukZ3UVa
|
|
Itjg+5B7gx1MSALaiY8YU7cibFdFThM3lHIM72wyH2ogkWcrh0GvSFSUQlJcWCSW
|
|
asmMGiYXBgBL697FFZomMyMCgYEAkAnp0JcDQwHd4gDsk2zoqnckBsDb5J5J46n+
|
|
DYNAFEww9bgZ08u/9MzG+cPu8xFE621U2MbcYLVfuuBE2ewIlPaij/COMmeO9Z59
|
|
0tPpOuDH6eTtd1SptxqR6P+8pEn8feOlKHBj4Z1kXqdK/EiTlwAVeep4Al2oCFls
|
|
ujkz4F0CgYAe8vHnVFHlWi16zAqZx4ZZZhNuqPtgFkvPg9LfyNTA4dz7F9xgtUaY
|
|
nXBPyCe/8NtgBfT79HkPiG3TM0xRZY9UZgsJKFtqAu5u4ManuWDnsZI9RK2QTLHe
|
|
yEbH5r3Dg3n9k/3GbjXFIWdU9UaYsdnSKHHtMw9ZODc14LaAogEQug==
|
|
-----END RSA PRIVATE KEY-----`
|
|
// client 2 crt is revoked
|
|
client2Crt = `-----BEGIN CERTIFICATE-----
|
|
MIIEITCCAgmgAwIBAgIRAM5p4duNjikSPxYGaqBm5FEwDQYJKoZIhvcNAQELBQAw
|
|
EzERMA8GA1UEAxMIQ2VydEF1dGgwHhcNMjQwMTEwMTgxMjUyWhcNMzQwMTEwMTgy
|
|
MTUzWjASMRAwDgYDVQQDEwdjbGllbnQyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
|
|
MIIBCgKCAQEApNYpNZVmXZtAObpRRIuP2o/7z04H2E161vKZvJ3LSLlUTImVjm/b
|
|
Qe6DTNCUVLnzQuanmUlu2rUnN3lDSfYoBcJWbvC3y1OCPRkCjDV6KiYMA9TPkZua
|
|
eq6y3+bFFfEmyumsVEe0bSuzNHXCOIBT7PqYMdovECcwBh/RZCA5mqO5omEKh4LQ
|
|
cr6+sVVkvD3nsyx0Alz/kTLFqc0mVflmpJq+0BpdetHRg4n5vy/I/08jZ81PQAmT
|
|
A0kyl0Jh132JBGFdA8eyugPPP8n5edU4f3HXV/nR7XLwBrpSt8KgEg8cwfAu4Ic0
|
|
6tGzB0CH8lSGtU0tH2/cOlDuguDD7VvokQIDAQABo3EwbzAOBgNVHQ8BAf8EBAMC
|
|
A7gwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBR5mf0f
|
|
Zjf8ZCGXqU2+45th7VkkLDAfBgNVHSMEGDAWgBTaCYSLw2UKxH/1UG1rrl4DZ7dp
|
|
uTANBgkqhkiG9w0BAQsFAAOCAgEARhFxNAouwbpEfN1M90+ao5rwyxEewerSoCCz
|
|
PQzeUZ66MA/FkS/tFUGgGGG+wERN+WLbe1cN6q/XFr0FSMLuUxLXDNV02oUL/FnY
|
|
xcyNLaZUZ0pP7sA+Hmx2AdTA6baIwQbyIY9RLAaz6hzo1YbI8yeis645F1bxgL2D
|
|
EP5kXa3Obv0tqWByMZtrmJPv3p0W5GJKXVDn51GR/E5KI7pliZX2e0LmMX9mxfPB
|
|
4sXFUggMHXxWMMSAmXPVsxC2KX6gMnajO7JUraTwuGm+6V371FzEX+UKXHI+xSvO
|
|
78TseTIYsBGLjeiA8UjkKlD3T9qsQm2mb2PlKyqjvIm4i2ilM0E2w4JZmd45b925
|
|
7q/QLV3NZ/zZMi6AMyULu28DWKfAx3RLKwnHWSFcR4lVkxQrbDhEUMhAhLAX+2+e
|
|
qc7qZm3dTabi7ZJiiOvYK/yNgFHa/XtZp5uKPB5tigPIa+34hbZF7s2/ty5X3O1N
|
|
f5Ardz7KNsxJjZIt6HvB28E/PPOvBqCKJc1Y08J9JbZi8p6QS1uarGoR7l7rT1Hv
|
|
/ZXkNTw2bw1VpcWdzDBLLVHYNnJmS14189LVk11PcJJpSmubwCqg+ZZULdgtVr3S
|
|
ANas2dgMPVwXhnAalgkcc+lb2QqaEz06axfbRGBsgnyqR5/koKCg1Hr0+vThHSsR
|
|
E0+r2+4=
|
|
-----END CERTIFICATE-----`
|
|
client2Key = `-----BEGIN RSA PRIVATE KEY-----
|
|
MIIEowIBAAKCAQEApNYpNZVmXZtAObpRRIuP2o/7z04H2E161vKZvJ3LSLlUTImV
|
|
jm/bQe6DTNCUVLnzQuanmUlu2rUnN3lDSfYoBcJWbvC3y1OCPRkCjDV6KiYMA9TP
|
|
kZuaeq6y3+bFFfEmyumsVEe0bSuzNHXCOIBT7PqYMdovECcwBh/RZCA5mqO5omEK
|
|
h4LQcr6+sVVkvD3nsyx0Alz/kTLFqc0mVflmpJq+0BpdetHRg4n5vy/I/08jZ81P
|
|
QAmTA0kyl0Jh132JBGFdA8eyugPPP8n5edU4f3HXV/nR7XLwBrpSt8KgEg8cwfAu
|
|
4Ic06tGzB0CH8lSGtU0tH2/cOlDuguDD7VvokQIDAQABAoIBAQCMnEeg9uXQmdvq
|
|
op4qi6bV+ZcDWvvkLwvHikFMnYpIaheYBpF2ZMKzdmO4xgCSWeFCQ4Hah8KxfHCM
|
|
qLuWvw2bBBE5J8yQ/JaPyeLbec7RX41GQ2YhPoxDdP0PdErREdpWo4imiFhH/Ewt
|
|
Rvq7ufRdpdLoS8dzzwnvX3r+H2MkHoC/QANW2AOuVoZK5qyCH5N8yEAAbWKaQaeL
|
|
VBhAYEVKbAkWEtXw7bYXzxRR7WIM3f45v3ncRusDIG+Hf75ZjatoH0lF1gHQNofO
|
|
qkCVZVzjkLFuzDic2KZqsNORglNs4J6t5Dahb9v3hnoK963YMnVSUjFvqQ+/RZZy
|
|
VILFShilAoGBANucwZU61eJ0tLKBYEwmRY/K7Gu1MvvcYJIOoX8/BL3zNmNO0CLl
|
|
NiABtNt9WOVwZxDsxJXdo1zvMtAegNqS6W11R1VAZbL6mQ/krScbLDE6JKA5DmA7
|
|
4nNi1gJOW1ziAfdBAfhe4cLbQOb94xkOK5xM1YpO0xgDJLwrZbehDMmPAoGBAMAl
|
|
/owPDAvcXz7JFynT0ieYVc64MSFiwGYJcsmxSAnbEgQ+TR5FtkHYe91OSqauZcCd
|
|
aoKXQNyrYKIhyounRPFTdYQrlx6KtEs7LU9wOxuphhpJtGjRnhmA7IqvX703wNvu
|
|
khrEavn86G5boH8R80371SrN0Rh9UeAlQGuNBdvfAoGAEAmokW9Ug08miwqrr6Pz
|
|
3IZjMZJwALidTM1IufQuMnj6ddIhnQrEIx48yPKkdUz6GeBQkuk2rujA+zXfDxc/
|
|
eMDhzrX/N0zZtLFse7ieR5IJbrH7/MciyG5lVpHGVkgjAJ18uVikgAhm+vd7iC7i
|
|
vG1YAtuyysQgAKXircBTIL0CgYAHeTLWVbt9NpwJwB6DhPaWjalAug9HIiUjktiB
|
|
GcEYiQnBWn77X3DATOA8clAa/Yt9m2HKJIHkU1IV3ESZe+8Fh955PozJJlHu3yVb
|
|
Ap157PUHTriSnxyMF2Sb3EhX/rQkmbnbCqqygHC14iBy8MrKzLG00X6BelZV5n0D
|
|
8d85dwKBgGWY2nsaemPH/TiTVF6kW1IKSQoIyJChkngc+Xj/2aCCkkmAEn8eqncl
|
|
RKjnkiEZeG4+G91Xu7+HmcBLwV86k5I+tXK9O1Okomr6Zry8oqVcxU5TB6VRS+rA
|
|
ubwF00Drdvk2+kDZfxIM137nBiy7wgCJi2Ksm5ihN3dUF6Q0oNPl
|
|
-----END RSA PRIVATE KEY-----`
|
|
defaultAdminUsername = "admin"
|
|
defaultAdminPass = "password"
|
|
defeaultUsername = "test_user"
|
|
)
|
|
|
|
var (
|
|
configDir = filepath.Join(".", "..", "..")
|
|
)
|
|
|
|
type failingWriter struct {
|
|
}
|
|
|
|
func (r *failingWriter) Write(_ []byte) (n int, err error) {
|
|
return 0, errors.New("write error")
|
|
}
|
|
|
|
func (r *failingWriter) WriteHeader(_ int) {}
|
|
|
|
func (r *failingWriter) Header() http.Header {
|
|
return make(http.Header)
|
|
}
|
|
|
|
func TestShouldBind(t *testing.T) {
|
|
c := Conf{
|
|
Bindings: []Binding{
|
|
{
|
|
Port: 10000,
|
|
},
|
|
},
|
|
}
|
|
require.False(t, c.ShouldBind())
|
|
c.Bindings[0].EnableRESTAPI = true
|
|
require.True(t, c.ShouldBind())
|
|
|
|
c.Bindings[0].Port = 0
|
|
require.False(t, c.ShouldBind())
|
|
|
|
if runtime.GOOS != osWindows {
|
|
c.Bindings[0].Address = "/absolute/path"
|
|
require.True(t, c.ShouldBind())
|
|
}
|
|
}
|
|
|
|
func TestBrandingValidation(t *testing.T) {
|
|
b := Binding{
|
|
Branding: Branding{
|
|
WebAdmin: UIBranding{
|
|
LogoPath: "path1",
|
|
DefaultCSS: []string{"my.css"},
|
|
},
|
|
WebClient: UIBranding{
|
|
FaviconPath: "favicon1.ico",
|
|
DisclaimerPath: "../path2",
|
|
ExtraCSS: []string{"1.css"},
|
|
},
|
|
},
|
|
}
|
|
b.checkBranding()
|
|
assert.Equal(t, "/favicon.png", b.Branding.WebAdmin.FaviconPath)
|
|
assert.Equal(t, "/path1", b.Branding.WebAdmin.LogoPath)
|
|
assert.Equal(t, []string{"/my.css"}, b.Branding.WebAdmin.DefaultCSS)
|
|
assert.Len(t, b.Branding.WebAdmin.ExtraCSS, 0)
|
|
assert.Equal(t, "/favicon1.ico", b.Branding.WebClient.FaviconPath)
|
|
assert.Equal(t, path.Join(webStaticFilesPath, "/path2"), b.Branding.WebClient.DisclaimerPath)
|
|
if assert.Len(t, b.Branding.WebClient.ExtraCSS, 1) {
|
|
assert.Equal(t, "/1.css", b.Branding.WebClient.ExtraCSS[0])
|
|
}
|
|
b.Branding.WebAdmin.DisclaimerPath = "https://example.com"
|
|
b.checkBranding()
|
|
assert.Equal(t, "https://example.com", b.Branding.WebAdmin.DisclaimerPath)
|
|
}
|
|
|
|
func TestRedactedConf(t *testing.T) {
|
|
c := Conf{
|
|
SigningPassphrase: "passphrase",
|
|
Setup: SetupConfig{
|
|
InstallationCode: "123",
|
|
},
|
|
}
|
|
redactedField := "[redacted]"
|
|
redactedConf := c.getRedacted()
|
|
assert.Equal(t, redactedField, redactedConf.SigningPassphrase)
|
|
assert.Equal(t, redactedField, redactedConf.Setup.InstallationCode)
|
|
assert.NotEqual(t, c.SigningPassphrase, redactedConf.SigningPassphrase)
|
|
assert.NotEqual(t, c.Setup.InstallationCode, redactedConf.Setup.InstallationCode)
|
|
}
|
|
|
|
func TestGetRespStatus(t *testing.T) {
|
|
var err error
|
|
err = util.NewMethodDisabledError("")
|
|
respStatus := getRespStatus(err)
|
|
assert.Equal(t, http.StatusForbidden, respStatus)
|
|
err = fmt.Errorf("generic error")
|
|
respStatus = getRespStatus(err)
|
|
assert.Equal(t, http.StatusInternalServerError, respStatus)
|
|
respStatus = getRespStatus(plugin.ErrNoSearcher)
|
|
assert.Equal(t, http.StatusNotImplemented, respStatus)
|
|
}
|
|
|
|
func TestMappedStatusCode(t *testing.T) {
|
|
err := os.ErrPermission
|
|
code := getMappedStatusCode(err)
|
|
assert.Equal(t, http.StatusForbidden, code)
|
|
err = os.ErrNotExist
|
|
code = getMappedStatusCode(err)
|
|
assert.Equal(t, http.StatusNotFound, code)
|
|
err = common.ErrQuotaExceeded
|
|
code = getMappedStatusCode(err)
|
|
assert.Equal(t, http.StatusRequestEntityTooLarge, code)
|
|
err = os.ErrClosed
|
|
code = getMappedStatusCode(err)
|
|
assert.Equal(t, http.StatusInternalServerError, code)
|
|
err = &http.MaxBytesError{}
|
|
code = getMappedStatusCode(err)
|
|
assert.Equal(t, http.StatusRequestEntityTooLarge, code)
|
|
}
|
|
|
|
func TestGCSWebInvalidFormFile(t *testing.T) {
|
|
form := make(url.Values)
|
|
form.Set("username", "test_username")
|
|
form.Set("fs_provider", "2")
|
|
req, _ := http.NewRequest(http.MethodPost, webUserPath, strings.NewReader(form.Encode()))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
err := req.ParseForm()
|
|
assert.NoError(t, err)
|
|
_, err = getFsConfigFromPostFields(req)
|
|
assert.EqualError(t, err, http.ErrNotMultipart.Error())
|
|
}
|
|
|
|
func TestBrandingInvalidFormFile(t *testing.T) {
|
|
form := make(url.Values)
|
|
req, _ := http.NewRequest(http.MethodPost, webConfigsPath, strings.NewReader(form.Encode()))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
err := req.ParseForm()
|
|
assert.NoError(t, err)
|
|
_, err = getBrandingConfigFromPostFields(req, &dataprovider.BrandingConfigs{})
|
|
assert.EqualError(t, err, http.ErrNotMultipart.Error())
|
|
}
|
|
|
|
func TestVerifyCSRFToken(t *testing.T) {
|
|
server := httpdServer{}
|
|
server.initializeRouter()
|
|
req, err := http.NewRequest(http.MethodPost, webAdminEventActionPath, nil)
|
|
require.NoError(t, err)
|
|
req = req.WithContext(context.WithValue(req.Context(), jwtauth.ErrorCtxKey, fs.ErrPermission))
|
|
|
|
rr := httptest.NewRecorder()
|
|
tokenString := createCSRFToken(rr, req, server.csrfTokenAuth, "", webBaseAdminPath)
|
|
assert.NotEmpty(t, tokenString)
|
|
|
|
token, err := server.csrfTokenAuth.Decode(tokenString)
|
|
require.NoError(t, err)
|
|
_, ok := token.Get(claimRef)
|
|
assert.False(t, ok)
|
|
|
|
req.Form = url.Values{}
|
|
req.Form.Set(csrfFormToken, tokenString)
|
|
err = verifyCSRFToken(req, server.csrfTokenAuth)
|
|
assert.ErrorIs(t, err, fs.ErrPermission)
|
|
|
|
req, err = http.NewRequest(http.MethodPost, webAdminEventActionPath, nil)
|
|
require.NoError(t, err)
|
|
req.Form = url.Values{}
|
|
req.Form.Set(csrfFormToken, tokenString)
|
|
err = verifyCSRFToken(req, server.csrfTokenAuth)
|
|
assert.ErrorContains(t, err, "the form token is not valid")
|
|
}
|
|
|
|
func TestInvalidToken(t *testing.T) {
|
|
server := httpdServer{}
|
|
server.initializeRouter()
|
|
admin := dataprovider.Admin{
|
|
Username: "admin",
|
|
}
|
|
errFake := errors.New("fake error")
|
|
asJSON, err := json.Marshal(admin)
|
|
assert.NoError(t, err)
|
|
req, _ := http.NewRequest(http.MethodPut, path.Join(adminPath, admin.Username), bytes.NewBuffer(asJSON))
|
|
rctx := chi.NewRouteContext()
|
|
rctx.URLParams.Add("username", admin.Username)
|
|
req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
|
|
req = req.WithContext(context.WithValue(req.Context(), jwtauth.ErrorCtxKey, errFake))
|
|
rr := httptest.NewRecorder()
|
|
updateAdmin(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
rr = httptest.NewRecorder()
|
|
deleteAdmin(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
|
|
adminPwd := pwdChange{
|
|
CurrentPassword: "old",
|
|
NewPassword: "new",
|
|
}
|
|
asJSON, err = json.Marshal(adminPwd)
|
|
assert.NoError(t, err)
|
|
req, _ = http.NewRequest(http.MethodPut, "", bytes.NewBuffer(asJSON))
|
|
req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
|
|
req = req.WithContext(context.WithValue(req.Context(), jwtauth.ErrorCtxKey, errFake))
|
|
rr = httptest.NewRecorder()
|
|
changeAdminPassword(rr, req)
|
|
assert.Equal(t, http.StatusInternalServerError, rr.Code)
|
|
adm := getAdminFromToken(req)
|
|
assert.Empty(t, adm.Username)
|
|
|
|
rr = httptest.NewRecorder()
|
|
readUserFolder(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
getUserFile(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
getUserFilesAsZipStream(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
getShares(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
getShareByID(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
addShare(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
updateShare(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
deleteShare(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
generateTOTPSecret(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
saveTOTPConfig(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
getRecoveryCodes(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
generateRecoveryCodes(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
getUserProfile(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
updateUserProfile(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
getWebTask(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
getAdminProfile(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
updateAdminProfile(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
loadData(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
loadDataFromRequest(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
addUser(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
disableUser2FA(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
updateUser(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
deleteUser(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
getActiveConnections(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
handleCloseConnection(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebRestore(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebAddUserPost(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebUpdateUserPost(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebTemplateFolderPost(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebTemplateUserPost(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
getAllAdmins(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
getAllUsers(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
addFolder(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
updateFolder(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
getFolderByName(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
deleteFolder(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebAddFolderPost(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebUpdateFolderPost(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebGetConnections(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebConfigsPost(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
addAdmin(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
disableAdmin2FA(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
addAPIKey(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
updateAPIKey(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
deleteAPIKey(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
addGroup(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
updateGroup(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
getGroupByName(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
deleteGroup(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
addEventAction(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
getEventActionByName(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
updateEventAction(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
deleteEventAction(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
getEventRuleByName(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
addEventRule(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
updateEventRule(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
deleteEventRule(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
getUsersQuotaScans(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
updateUserTransferQuotaUsage(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
doUpdateUserQuotaUsage(rr, req, "", quotaUsage{})
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
doStartUserQuotaScan(rr, req, "")
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
getRetentionChecks(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
addRole(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
updateRole(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
deleteRole(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
getUsers(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
getUserByUsername(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
searchFsEvents(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
searchProviderEvents(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
searchLogEvents(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
addIPListEntry(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
updateIPListEntry(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
deleteIPListEntry(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleGetWebUsers(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebUpdateUserGet(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebUpdateRolePost(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebAddRolePost(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebAddAdminPost(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebAddGroupPost(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebUpdateGroupPost(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebAddEventActionPost(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebUpdateEventActionPost(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebAddEventRulePost(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebUpdateEventRulePost(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebUpdateIPListEntryPost(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebClientTwoFactorRecoveryPost(rr, req)
|
|
assert.Equal(t, http.StatusNotFound, rr.Code)
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebClientTwoFactorPost(rr, req)
|
|
assert.Equal(t, http.StatusNotFound, rr.Code)
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebAdminTwoFactorRecoveryPost(rr, req)
|
|
assert.Equal(t, http.StatusNotFound, rr.Code)
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebAdminTwoFactorPost(rr, req)
|
|
assert.Equal(t, http.StatusNotFound, rr.Code)
|
|
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebUpdateIPListEntryPost(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
form := make(url.Values)
|
|
req, _ = http.NewRequest(http.MethodPost, webIPListPath+"/1", bytes.NewBuffer([]byte(form.Encode())))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
rctx = chi.NewRouteContext()
|
|
rctx.URLParams.Add("type", "1")
|
|
req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebAddIPListEntryPost(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code, rr.Body.String())
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
}
|
|
|
|
func TestTokenSignatureValidation(t *testing.T) {
|
|
tokenValidationMode = 0
|
|
server := httpdServer{
|
|
binding: Binding{
|
|
Address: "",
|
|
Port: 8080,
|
|
EnableWebAdmin: true,
|
|
EnableWebClient: true,
|
|
EnableRESTAPI: true,
|
|
},
|
|
enableWebAdmin: true,
|
|
enableWebClient: true,
|
|
enableRESTAPI: true,
|
|
}
|
|
server.initializeRouter()
|
|
testServer := httptest.NewServer(server.router)
|
|
defer testServer.Close()
|
|
|
|
rr := httptest.NewRecorder()
|
|
req, err := http.NewRequest(http.MethodGet, tokenPath, nil)
|
|
require.NoError(t, err)
|
|
req.SetBasicAuth(defaultAdminUsername, defaultAdminPass)
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
var resp map[string]any
|
|
err = json.Unmarshal(rr.Body.Bytes(), &resp)
|
|
assert.NoError(t, err)
|
|
accessToken := resp["access_token"]
|
|
require.NotEmpty(t, accessToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
req, err = http.NewRequest(http.MethodGet, versionPath, nil)
|
|
require.NoError(t, err)
|
|
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", accessToken))
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
// change the token validation mode
|
|
tokenValidationMode = 2
|
|
rr = httptest.NewRecorder()
|
|
req, err = http.NewRequest(http.MethodGet, versionPath, nil)
|
|
require.NoError(t, err)
|
|
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", accessToken))
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
// Now update the admin
|
|
admin, err := dataprovider.AdminExists(defaultAdminUsername)
|
|
assert.NoError(t, err)
|
|
err = dataprovider.UpdateAdmin(&admin, "", "", "")
|
|
assert.NoError(t, err)
|
|
// token validation mode is 0, the old token is still valid
|
|
tokenValidationMode = 0
|
|
rr = httptest.NewRecorder()
|
|
req, err = http.NewRequest(http.MethodGet, versionPath, nil)
|
|
require.NoError(t, err)
|
|
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", accessToken))
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
// change the token validation mode
|
|
tokenValidationMode = 2
|
|
rr = httptest.NewRecorder()
|
|
req, err = http.NewRequest(http.MethodGet, versionPath, nil)
|
|
require.NoError(t, err)
|
|
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", accessToken))
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusUnauthorized, rr.Code)
|
|
// the token is invalidated, changing the validation mode has no effect
|
|
tokenValidationMode = 0
|
|
rr = httptest.NewRecorder()
|
|
req, err = http.NewRequest(http.MethodGet, versionPath, nil)
|
|
require.NoError(t, err)
|
|
req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", accessToken))
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusUnauthorized, rr.Code)
|
|
|
|
userPwd := "pwd"
|
|
user := dataprovider.User{
|
|
BaseUser: sdk.BaseUser{
|
|
Username: defeaultUsername,
|
|
Password: userPwd,
|
|
HomeDir: filepath.Join(os.TempDir(), defeaultUsername),
|
|
Status: 1,
|
|
},
|
|
}
|
|
user.Permissions = make(map[string][]string)
|
|
user.Permissions["/"] = []string{dataprovider.PermAny}
|
|
err = dataprovider.AddUser(&user, "", "", "")
|
|
assert.NoError(t, err)
|
|
|
|
defer func() {
|
|
dataprovider.DeleteUser(defeaultUsername, "", "", "") //nolint:errcheck
|
|
}()
|
|
|
|
tokenValidationMode = 2
|
|
req, err = http.NewRequest(http.MethodGet, webClientLoginPath, nil)
|
|
require.NoError(t, err)
|
|
rr = httptest.NewRecorder()
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
loginCookie := strings.Split(rr.Header().Get("Set-Cookie"), ";")[0]
|
|
assert.NotEmpty(t, loginCookie)
|
|
csrfToken, err := getCSRFTokenFromBody(rr.Body)
|
|
assert.NoError(t, err)
|
|
assert.NotEmpty(t, csrfToken)
|
|
// Now login
|
|
form := make(url.Values)
|
|
form.Set(csrfFormToken, csrfToken)
|
|
form.Set("username", defeaultUsername)
|
|
form.Set("password", userPwd)
|
|
req, err = http.NewRequest(http.MethodPost, webClientLoginPath, bytes.NewBuffer([]byte(form.Encode())))
|
|
assert.NoError(t, err)
|
|
req.Header.Set("Cookie", loginCookie)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
rr = httptest.NewRecorder()
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusFound, rr.Code)
|
|
userCookie := strings.Split(rr.Header().Get("Set-Cookie"), ";")[0]
|
|
assert.NotEmpty(t, userCookie)
|
|
// Test a WebClient page and a JSON API
|
|
rr = httptest.NewRecorder()
|
|
req, err = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
|
|
require.NoError(t, err)
|
|
req.Header.Set("Cookie", userCookie)
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
rr = httptest.NewRecorder()
|
|
req, err = http.NewRequest(http.MethodGet, webClientProfilePath, nil)
|
|
require.NoError(t, err)
|
|
req.Header.Set("Cookie", userCookie)
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
csrfToken, err = getCSRFTokenFromBody(rr.Body)
|
|
assert.NoError(t, err)
|
|
assert.NotEmpty(t, csrfToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
req, err = http.NewRequest(http.MethodGet, webClientFilePath+"?path=missing.txt", nil)
|
|
require.NoError(t, err)
|
|
req.Header.Set("Cookie", userCookie)
|
|
req.Header.Set(csrfHeaderToken, csrfToken)
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusNotFound, rr.Code)
|
|
|
|
tokenValidationMode = 0
|
|
err = dataprovider.DeleteUser(defeaultUsername, "", "", "")
|
|
assert.NoError(t, err)
|
|
|
|
rr = httptest.NewRecorder()
|
|
req, err = http.NewRequest(http.MethodGet, webClientFilePath+"?path=missing.txt", nil)
|
|
require.NoError(t, err)
|
|
req.Header.Set("Cookie", userCookie)
|
|
req.Header.Set(csrfHeaderToken, csrfToken)
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusNotFound, rr.Code)
|
|
|
|
tokenValidationMode = 2
|
|
rr = httptest.NewRecorder()
|
|
req, err = http.NewRequest(http.MethodGet, webClientFilePath+"?path=missing.txt", nil)
|
|
require.NoError(t, err)
|
|
req.Header.Set("Cookie", userCookie)
|
|
req.Header.Set(csrfHeaderToken, csrfToken)
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusFound, rr.Code)
|
|
|
|
tokenValidationMode = 0
|
|
}
|
|
|
|
func TestUpdateWebAdminInvalidClaims(t *testing.T) {
|
|
server := httpdServer{}
|
|
server.initializeRouter()
|
|
|
|
rr := httptest.NewRecorder()
|
|
admin := dataprovider.Admin{
|
|
Username: "",
|
|
Password: "password",
|
|
}
|
|
c := jwtTokenClaims{
|
|
Username: admin.Username,
|
|
Permissions: admin.Permissions,
|
|
Signature: admin.GetSignature(),
|
|
}
|
|
token, err := c.createTokenResponse(server.tokenAuth, tokenAudienceWebAdmin, "")
|
|
assert.NoError(t, err)
|
|
|
|
req, err := http.NewRequest(http.MethodGet, webAdminPath, nil)
|
|
assert.NoError(t, err)
|
|
req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
|
|
parsedToken, err := jwtauth.VerifyRequest(server.tokenAuth, req, jwtauth.TokenFromCookie)
|
|
assert.NoError(t, err)
|
|
ctx := req.Context()
|
|
ctx = jwtauth.NewContext(ctx, parsedToken, err)
|
|
req = req.WithContext(ctx)
|
|
|
|
form := make(url.Values)
|
|
form.Set(csrfFormToken, createCSRFToken(rr, req, server.csrfTokenAuth, "", webBaseAdminPath))
|
|
form.Set("status", "1")
|
|
form.Set("default_users_expiration", "30")
|
|
req, err = http.NewRequest(http.MethodPost, path.Join(webAdminPath, "admin"), bytes.NewBuffer([]byte(form.Encode())))
|
|
assert.NoError(t, err)
|
|
rctx := chi.NewRouteContext()
|
|
rctx.URLParams.Add("username", "admin")
|
|
req = req.WithContext(ctx)
|
|
req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
|
|
server.handleWebUpdateAdminPost(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
}
|
|
|
|
func TestRetentionInvalidTokenClaims(t *testing.T) {
|
|
username := "retentionuser"
|
|
user := dataprovider.User{
|
|
BaseUser: sdk.BaseUser{
|
|
Username: username,
|
|
Password: "pwd",
|
|
HomeDir: filepath.Join(os.TempDir(), username),
|
|
Status: 1,
|
|
},
|
|
}
|
|
user.Permissions = make(map[string][]string)
|
|
user.Permissions["/"] = []string{dataprovider.PermAny}
|
|
user.Filters.AllowAPIKeyAuth = true
|
|
err := dataprovider.AddUser(&user, "", "", "")
|
|
assert.NoError(t, err)
|
|
folderRetention := []dataprovider.FolderRetention{
|
|
{
|
|
Path: "/",
|
|
Retention: 0,
|
|
DeleteEmptyDirs: true,
|
|
},
|
|
}
|
|
asJSON, err := json.Marshal(folderRetention)
|
|
assert.NoError(t, err)
|
|
req, _ := http.NewRequest(http.MethodPost, retentionBasePath+"/"+username+"/check?notifications=Email", bytes.NewBuffer(asJSON))
|
|
|
|
rctx := chi.NewRouteContext()
|
|
rctx.URLParams.Add("username", username)
|
|
|
|
req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
|
|
req = req.WithContext(context.WithValue(req.Context(), jwtauth.ErrorCtxKey, errors.New("error")))
|
|
rr := httptest.NewRecorder()
|
|
startRetentionCheck(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
|
|
err = dataprovider.DeleteUser(username, "", "", "")
|
|
assert.NoError(t, err)
|
|
}
|
|
|
|
func TestUpdateSMTPSecrets(t *testing.T) {
|
|
currentConfigs := &dataprovider.SMTPConfigs{
|
|
OAuth2: dataprovider.SMTPOAuth2{
|
|
ClientSecret: kms.NewPlainSecret("client secret"),
|
|
RefreshToken: kms.NewPlainSecret("refresh token"),
|
|
},
|
|
}
|
|
redactedClientSecret := kms.NewPlainSecret("secret")
|
|
redactedRefreshToken := kms.NewPlainSecret("token")
|
|
redactedClientSecret.SetStatus(sdkkms.SecretStatusRedacted)
|
|
redactedRefreshToken.SetStatus(sdkkms.SecretStatusRedacted)
|
|
newConfigs := &dataprovider.SMTPConfigs{
|
|
Password: kms.NewPlainSecret("pwd"),
|
|
OAuth2: dataprovider.SMTPOAuth2{
|
|
ClientSecret: redactedClientSecret,
|
|
RefreshToken: redactedRefreshToken,
|
|
},
|
|
}
|
|
updateSMTPSecrets(newConfigs, currentConfigs)
|
|
assert.Nil(t, currentConfigs.Password)
|
|
assert.NotNil(t, newConfigs.Password)
|
|
assert.Equal(t, currentConfigs.OAuth2.ClientSecret, newConfigs.OAuth2.ClientSecret)
|
|
assert.Equal(t, currentConfigs.OAuth2.RefreshToken, newConfigs.OAuth2.RefreshToken)
|
|
|
|
clientSecret := kms.NewPlainSecret("plain secret")
|
|
refreshToken := kms.NewPlainSecret("plain token")
|
|
newConfigs = &dataprovider.SMTPConfigs{
|
|
Password: kms.NewPlainSecret("pwd"),
|
|
OAuth2: dataprovider.SMTPOAuth2{
|
|
ClientSecret: clientSecret,
|
|
RefreshToken: refreshToken,
|
|
},
|
|
}
|
|
updateSMTPSecrets(newConfigs, currentConfigs)
|
|
assert.Equal(t, clientSecret, newConfigs.OAuth2.ClientSecret)
|
|
assert.Equal(t, refreshToken, newConfigs.OAuth2.RefreshToken)
|
|
}
|
|
|
|
func TestOAuth2Redirect(t *testing.T) {
|
|
server := httpdServer{}
|
|
server.initializeRouter()
|
|
|
|
rr := httptest.NewRecorder()
|
|
req, err := http.NewRequest(http.MethodGet, webOAuth2RedirectPath+"?state=invalid", nil)
|
|
assert.NoError(t, err)
|
|
server.handleOAuth2TokenRedirect(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nOAuth2ErrorTitle)
|
|
|
|
ip := "127.1.1.4"
|
|
tokenString := createOAuth2Token(server.csrfTokenAuth, xid.New().String(), ip)
|
|
rr = httptest.NewRecorder()
|
|
req, err = http.NewRequest(http.MethodGet, webOAuth2RedirectPath+"?state="+tokenString, nil) //nolint:goconst
|
|
assert.NoError(t, err)
|
|
req.RemoteAddr = ip
|
|
server.handleOAuth2TokenRedirect(rr, req)
|
|
assert.Equal(t, http.StatusInternalServerError, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nOAuth2ErrorValidateState)
|
|
}
|
|
|
|
func TestOAuth2Token(t *testing.T) {
|
|
server := httpdServer{}
|
|
server.initializeRouter()
|
|
// invalid token
|
|
_, err := verifyOAuth2Token(server.csrfTokenAuth, "token", "")
|
|
if assert.Error(t, err) {
|
|
assert.Contains(t, err.Error(), "unable to verify OAuth2 state")
|
|
}
|
|
// bad audience
|
|
claims := make(map[string]any)
|
|
now := time.Now().UTC()
|
|
|
|
claims[jwt.JwtIDKey] = xid.New().String()
|
|
claims[jwt.NotBeforeKey] = now.Add(-30 * time.Second)
|
|
claims[jwt.ExpirationKey] = now.Add(tokenDuration)
|
|
claims[jwt.AudienceKey] = []string{tokenAudienceAPI}
|
|
|
|
_, tokenString, err := server.csrfTokenAuth.Encode(claims)
|
|
assert.NoError(t, err)
|
|
_, err = verifyOAuth2Token(server.csrfTokenAuth, tokenString, "")
|
|
if assert.Error(t, err) {
|
|
assert.Contains(t, err.Error(), "invalid OAuth2 state")
|
|
}
|
|
// bad IP
|
|
tokenString = createOAuth2Token(server.csrfTokenAuth, "state", "127.1.1.1")
|
|
_, err = verifyOAuth2Token(server.csrfTokenAuth, tokenString, "127.1.1.2")
|
|
if assert.Error(t, err) {
|
|
assert.Contains(t, err.Error(), "invalid OAuth2 state")
|
|
}
|
|
// ok
|
|
state := xid.New().String()
|
|
tokenString = createOAuth2Token(server.csrfTokenAuth, state, "127.1.1.3")
|
|
s, err := verifyOAuth2Token(server.csrfTokenAuth, tokenString, "127.1.1.3")
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, state, s)
|
|
// no jti
|
|
claims = make(map[string]any)
|
|
|
|
claims[jwt.NotBeforeKey] = now.Add(-30 * time.Second)
|
|
claims[jwt.ExpirationKey] = now.Add(tokenDuration)
|
|
claims[jwt.AudienceKey] = []string{tokenAudienceOAuth2, "127.1.1.4"}
|
|
_, tokenString, err = server.csrfTokenAuth.Encode(claims)
|
|
assert.NoError(t, err)
|
|
_, err = verifyOAuth2Token(server.csrfTokenAuth, tokenString, "127.1.1.4")
|
|
if assert.Error(t, err) {
|
|
assert.Contains(t, err.Error(), "invalid OAuth2 state")
|
|
}
|
|
// encode error
|
|
server.csrfTokenAuth = jwtauth.New("HT256", util.GenerateRandomBytes(32), nil)
|
|
tokenString = createOAuth2Token(server.csrfTokenAuth, xid.New().String(), "")
|
|
assert.Empty(t, tokenString)
|
|
|
|
rr := httptest.NewRecorder()
|
|
testReq := make(map[string]any)
|
|
testReq["base_redirect_url"] = "http://localhost:8082"
|
|
asJSON, err := json.Marshal(testReq)
|
|
assert.NoError(t, err)
|
|
req, err := http.NewRequest(http.MethodPost, webOAuth2TokenPath, bytes.NewBuffer(asJSON))
|
|
assert.NoError(t, err)
|
|
server.handleSMTPOAuth2TokenRequestPost(rr, req)
|
|
assert.Equal(t, http.StatusInternalServerError, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "unable to create state token")
|
|
}
|
|
|
|
func TestCSRFToken(t *testing.T) {
|
|
server := httpdServer{}
|
|
server.initializeRouter()
|
|
// invalid token
|
|
req := &http.Request{}
|
|
err := verifyCSRFToken(req, server.csrfTokenAuth)
|
|
if assert.Error(t, err) {
|
|
assert.Contains(t, err.Error(), "unable to verify form token")
|
|
}
|
|
// bad audience
|
|
claims := make(map[string]any)
|
|
now := time.Now().UTC()
|
|
|
|
claims[jwt.JwtIDKey] = xid.New().String()
|
|
claims[jwt.NotBeforeKey] = now.Add(-30 * time.Second)
|
|
claims[jwt.ExpirationKey] = now.Add(tokenDuration)
|
|
claims[jwt.AudienceKey] = []string{tokenAudienceAPI}
|
|
|
|
_, tokenString, err := server.csrfTokenAuth.Encode(claims)
|
|
assert.NoError(t, err)
|
|
values := url.Values{}
|
|
values.Set(csrfFormToken, tokenString)
|
|
req.Form = values
|
|
err = verifyCSRFToken(req, server.csrfTokenAuth)
|
|
if assert.Error(t, err) {
|
|
assert.Contains(t, err.Error(), "form token is not valid")
|
|
}
|
|
|
|
// bad IP
|
|
req.RemoteAddr = "127.1.1.1"
|
|
tokenString = createCSRFToken(httptest.NewRecorder(), req, server.csrfTokenAuth, "", webBaseAdminPath)
|
|
values.Set(csrfFormToken, tokenString)
|
|
req.Form = values
|
|
req.RemoteAddr = "127.1.1.2"
|
|
err = verifyCSRFToken(req, server.csrfTokenAuth)
|
|
if assert.Error(t, err) {
|
|
assert.Contains(t, err.Error(), "form token is not valid")
|
|
}
|
|
|
|
claims[jwt.JwtIDKey] = xid.New().String()
|
|
claims[jwt.NotBeforeKey] = now.Add(-30 * time.Second)
|
|
claims[jwt.ExpirationKey] = now.Add(tokenDuration)
|
|
claims[jwt.AudienceKey] = []string{tokenAudienceAPI}
|
|
_, tokenString, err = server.csrfTokenAuth.Encode(claims)
|
|
assert.NoError(t, err)
|
|
assert.NotEmpty(t, tokenString)
|
|
|
|
r := GetHTTPRouter(Binding{
|
|
Address: "",
|
|
Port: 8080,
|
|
EnableWebAdmin: true,
|
|
EnableWebClient: true,
|
|
EnableRESTAPI: true,
|
|
RenderOpenAPI: true,
|
|
})
|
|
fn := server.verifyCSRFHeader(r)
|
|
rr := httptest.NewRecorder()
|
|
req, _ = http.NewRequest(http.MethodDelete, path.Join(userPath, "username"), nil)
|
|
fn.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token")
|
|
|
|
// invalid audience
|
|
req.Header.Set(csrfHeaderToken, tokenString)
|
|
rr = httptest.NewRecorder()
|
|
fn.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "the token is not valid")
|
|
|
|
// invalid IP
|
|
tokenString = createCSRFToken(httptest.NewRecorder(), req, server.csrfTokenAuth, "", webBaseAdminPath)
|
|
req.Header.Set(csrfHeaderToken, tokenString)
|
|
req.RemoteAddr = "172.16.1.2"
|
|
rr = httptest.NewRecorder()
|
|
fn.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "the token is not valid")
|
|
|
|
csrfTokenAuth := jwtauth.New("PS256", util.GenerateRandomBytes(32), nil)
|
|
tokenString = createCSRFToken(httptest.NewRecorder(), req, csrfTokenAuth, "", webBaseAdminPath)
|
|
assert.Empty(t, tokenString)
|
|
rr = httptest.NewRecorder()
|
|
createLoginCookie(rr, req, csrfTokenAuth, "", webBaseAdminPath, req.RemoteAddr)
|
|
assert.Empty(t, rr.Header().Get("Set-Cookie"))
|
|
}
|
|
|
|
func TestCreateShareCookieError(t *testing.T) {
|
|
username := "share_user"
|
|
pwd := util.GenerateUniqueID()
|
|
user := &dataprovider.User{
|
|
BaseUser: sdk.BaseUser{
|
|
Username: username,
|
|
Password: pwd,
|
|
HomeDir: filepath.Join(os.TempDir(), username),
|
|
Status: 1,
|
|
Permissions: map[string][]string{
|
|
"/": {dataprovider.PermAny},
|
|
},
|
|
},
|
|
}
|
|
err := dataprovider.AddUser(user, "", "", "")
|
|
assert.NoError(t, err)
|
|
share := &dataprovider.Share{
|
|
Name: "test share cookie error",
|
|
ShareID: util.GenerateUniqueID(),
|
|
Scope: dataprovider.ShareScopeRead,
|
|
Password: pwd,
|
|
Paths: []string{"/"},
|
|
Username: username,
|
|
}
|
|
err = dataprovider.AddShare(share, "", "", "")
|
|
assert.NoError(t, err)
|
|
|
|
server := httpdServer{
|
|
tokenAuth: jwtauth.New("TS256", util.GenerateRandomBytes(32), nil),
|
|
csrfTokenAuth: jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil),
|
|
}
|
|
|
|
c := jwtTokenClaims{
|
|
JwtID: xid.New().String(),
|
|
}
|
|
resp, err := c.createTokenResponse(server.csrfTokenAuth, tokenAudienceWebLogin, "127.0.0.1")
|
|
assert.NoError(t, err)
|
|
parsedToken, err := jwtauth.VerifyToken(server.csrfTokenAuth, resp["access_token"].(string))
|
|
assert.NoError(t, err)
|
|
|
|
req, err := http.NewRequest(http.MethodGet, path.Join(webClientPubSharesPath, share.ShareID, "login"), nil)
|
|
assert.NoError(t, err)
|
|
req.RemoteAddr = "127.0.0.1:4567"
|
|
ctx := req.Context()
|
|
ctx = jwtauth.NewContext(ctx, parsedToken, err)
|
|
req = req.WithContext(ctx)
|
|
|
|
form := make(url.Values)
|
|
form.Set("share_password", pwd)
|
|
form.Set(csrfFormToken, createCSRFToken(httptest.NewRecorder(), req, server.csrfTokenAuth, "", webBaseClientPath))
|
|
rctx := chi.NewRouteContext()
|
|
rctx.URLParams.Add("id", share.ShareID)
|
|
rr := httptest.NewRecorder()
|
|
req, err = http.NewRequest(http.MethodPost, path.Join(webClientPubSharesPath, share.ShareID, "login"),
|
|
bytes.NewBuffer([]byte(form.Encode())))
|
|
assert.NoError(t, err)
|
|
req.RemoteAddr = "127.0.0.1:2345"
|
|
req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", resp["access_token"]))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
req = req.WithContext(ctx)
|
|
req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
|
|
server.handleClientShareLoginPost(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
assert.Contains(t, rr.Body.String(), util.I18nError500Message)
|
|
|
|
err = dataprovider.DeleteUser(username, "", "", "")
|
|
assert.NoError(t, err)
|
|
}
|
|
|
|
func TestCreateTokenError(t *testing.T) {
|
|
server := httpdServer{
|
|
tokenAuth: jwtauth.New("PS256", util.GenerateRandomBytes(32), nil),
|
|
csrfTokenAuth: jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil),
|
|
}
|
|
rr := httptest.NewRecorder()
|
|
admin := dataprovider.Admin{
|
|
Username: defaultAdminUsername,
|
|
Password: "password",
|
|
}
|
|
req, _ := http.NewRequest(http.MethodGet, tokenPath, nil)
|
|
|
|
server.generateAndSendToken(rr, req, admin, "")
|
|
assert.Equal(t, http.StatusInternalServerError, rr.Code)
|
|
|
|
rr = httptest.NewRecorder()
|
|
user := dataprovider.User{
|
|
BaseUser: sdk.BaseUser{
|
|
Username: "u",
|
|
Password: util.GenerateUniqueID(),
|
|
},
|
|
}
|
|
req, _ = http.NewRequest(http.MethodGet, userTokenPath, nil)
|
|
|
|
server.generateAndSendUserToken(rr, req, "", user)
|
|
assert.Equal(t, http.StatusInternalServerError, rr.Code)
|
|
|
|
c := jwtTokenClaims{
|
|
JwtID: xid.New().String(),
|
|
}
|
|
token, err := c.createTokenResponse(server.csrfTokenAuth, tokenAudienceWebLogin, "")
|
|
assert.NoError(t, err)
|
|
|
|
req, err = http.NewRequest(http.MethodGet, webAdminLoginPath, nil)
|
|
assert.NoError(t, err)
|
|
req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
|
|
parsedToken, err := jwtauth.VerifyRequest(server.csrfTokenAuth, req, jwtauth.TokenFromCookie)
|
|
assert.NoError(t, err)
|
|
ctx := req.Context()
|
|
ctx = jwtauth.NewContext(ctx, parsedToken, err)
|
|
req = req.WithContext(ctx)
|
|
|
|
rr = httptest.NewRecorder()
|
|
form := make(url.Values)
|
|
form.Set("username", admin.Username)
|
|
form.Set("password", admin.Password)
|
|
form.Set(csrfFormToken, createCSRFToken(rr, req, server.csrfTokenAuth, xid.New().String(), webBaseAdminPath))
|
|
cookie := rr.Header().Get("Set-Cookie")
|
|
assert.NotEmpty(t, cookie)
|
|
req, _ = http.NewRequest(http.MethodPost, webAdminLoginPath, bytes.NewBuffer([]byte(form.Encode())))
|
|
req.Header.Set("Cookie", cookie)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
parsedToken, err = jwtauth.VerifyRequest(server.csrfTokenAuth, req, jwtauth.TokenFromCookie)
|
|
assert.NoError(t, err)
|
|
ctx = req.Context()
|
|
ctx = jwtauth.NewContext(ctx, parsedToken, err)
|
|
req = req.WithContext(ctx)
|
|
server.handleWebAdminLoginPost(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
// req with no content type
|
|
req, _ = http.NewRequest(http.MethodPost, webAdminLoginPath, nil)
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebAdminLoginPost(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
req, _ = http.NewRequest(http.MethodPost, webAdminSetupPath, nil)
|
|
rr = httptest.NewRecorder()
|
|
server.loginAdmin(rr, req, &admin, false, nil, "")
|
|
// req with no POST body
|
|
req, _ = http.NewRequest(http.MethodGet, webAdminLoginPath+"?a=a%C3%AO%GG", nil)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebAdminLoginPost(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
|
|
req, _ = http.NewRequest(http.MethodGet, webAdminLoginPath+"?a=a%C3%A1%G2", nil)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebAdminChangePwdPost(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)
|
|
|
|
req, _ = http.NewRequest(http.MethodGet, webAdminLoginPath+"?a=a%C3%A2%G3", nil)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
_, err = getAdminFromPostFields(req)
|
|
assert.Error(t, err)
|
|
|
|
req, _ = http.NewRequest(http.MethodPost, webAdminEventActionPath+"?a=a%C3%A2%GG", nil)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
_, err = getEventActionFromPostFields(req)
|
|
assert.Error(t, err)
|
|
|
|
req, _ = http.NewRequest(http.MethodPost, webAdminEventRulePath+"?a=a%C3%A3%GG", nil)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
_, err = getEventRuleFromPostFields(req)
|
|
assert.Error(t, err)
|
|
|
|
req, _ = http.NewRequest(http.MethodPost, webIPListPath+"/1?a=a%C3%AO%GG", nil)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
_, err = getIPListEntryFromPostFields(req, dataprovider.IPListTypeAllowList)
|
|
assert.Error(t, err)
|
|
|
|
req, _ = http.NewRequest(http.MethodPost, path.Join(webClientSharePath, "shareID", "login?a=a%C3%AO%GG"), bytes.NewBuffer([]byte(form.Encode())))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
rr = httptest.NewRecorder()
|
|
server.handleClientShareLoginPost(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
|
|
req, _ = http.NewRequest(http.MethodPost, webClientLoginPath+"?a=a%C3%AO%GG", bytes.NewBuffer([]byte(form.Encode())))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebClientLoginPost(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
|
|
req, _ = http.NewRequest(http.MethodPost, webChangeClientPwdPath+"?a=a%C3%AO%GA", bytes.NewBuffer([]byte(form.Encode())))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebClientChangePwdPost(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)
|
|
|
|
req, _ = http.NewRequest(http.MethodPost, webClientProfilePath+"?a=a%C3%AO%GB", bytes.NewBuffer([]byte(form.Encode())))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebClientProfilePost(rr, req)
|
|
assert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String())
|
|
|
|
req, _ = http.NewRequest(http.MethodPost, webAdminProfilePath+"?a=a%C3%AO%GB", bytes.NewBuffer([]byte(form.Encode())))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebAdminProfilePost(rr, req)
|
|
assert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String())
|
|
|
|
req, _ = http.NewRequest(http.MethodPost, webAdminTwoFactorPath+"?a=a%C3%AO%GC", bytes.NewBuffer([]byte(form.Encode())))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebAdminTwoFactorPost(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)
|
|
|
|
req, _ = http.NewRequest(http.MethodPost, webAdminTwoFactorRecoveryPath+"?a=a%C3%AO%GD", bytes.NewBuffer([]byte(form.Encode())))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebAdminTwoFactorRecoveryPost(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)
|
|
|
|
req, _ = http.NewRequest(http.MethodPost, webClientTwoFactorPath+"?a=a%C3%AO%GC", bytes.NewBuffer([]byte(form.Encode())))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebClientTwoFactorPost(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)
|
|
|
|
req, _ = http.NewRequest(http.MethodPost, webClientTwoFactorRecoveryPath+"?a=a%C3%AO%GD", bytes.NewBuffer([]byte(form.Encode())))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebClientTwoFactorRecoveryPost(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)
|
|
|
|
req, _ = http.NewRequest(http.MethodPost, webAdminForgotPwdPath+"?a=a%C3%A1%GD", bytes.NewBuffer([]byte(form.Encode())))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebAdminForgotPwdPost(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)
|
|
|
|
req, _ = http.NewRequest(http.MethodPost, webClientForgotPwdPath+"?a=a%C2%A1%GD", bytes.NewBuffer([]byte(form.Encode())))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebClientForgotPwdPost(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)
|
|
|
|
req, _ = http.NewRequest(http.MethodPost, webAdminResetPwdPath+"?a=a%C3%AO%JD", bytes.NewBuffer([]byte(form.Encode())))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebAdminPasswordResetPost(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)
|
|
|
|
req, _ = http.NewRequest(http.MethodPost, webAdminRolePath+"?a=a%C3%AO%JE", bytes.NewBuffer([]byte(form.Encode())))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebAddRolePost(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)
|
|
|
|
req, _ = http.NewRequest(http.MethodPost, webClientResetPwdPath+"?a=a%C3%AO%JD", bytes.NewBuffer([]byte(form.Encode())))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
rr = httptest.NewRecorder()
|
|
server.handleWebClientPasswordResetPost(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidForm)
|
|
|
|
req, _ = http.NewRequest(http.MethodPost, webChangeClientPwdPath+"?a=a%K3%AO%GA", bytes.NewBuffer([]byte(form.Encode())))
|
|
_, err = getShareFromPostFields(req)
|
|
if assert.Error(t, err) {
|
|
assert.Contains(t, err.Error(), "invalid URL escape")
|
|
}
|
|
|
|
username := "webclientuser"
|
|
user = dataprovider.User{
|
|
BaseUser: sdk.BaseUser{
|
|
Username: username,
|
|
Password: "clientpwd",
|
|
HomeDir: filepath.Join(os.TempDir(), username),
|
|
Status: 1,
|
|
Description: "test user",
|
|
},
|
|
}
|
|
user.Permissions = make(map[string][]string)
|
|
user.Permissions["/"] = []string{dataprovider.PermAny}
|
|
user.Filters.AllowAPIKeyAuth = true
|
|
err = dataprovider.AddUser(&user, "", "", "")
|
|
assert.NoError(t, err)
|
|
|
|
req, err = http.NewRequest(http.MethodGet, webClientLoginPath, nil)
|
|
assert.NoError(t, err)
|
|
req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
|
|
parsedToken, err = jwtauth.VerifyRequest(server.csrfTokenAuth, req, jwtauth.TokenFromCookie)
|
|
assert.NoError(t, err)
|
|
ctx = req.Context()
|
|
ctx = jwtauth.NewContext(ctx, parsedToken, err)
|
|
req = req.WithContext(ctx)
|
|
|
|
rr = httptest.NewRecorder()
|
|
form = make(url.Values)
|
|
form.Set("username", user.Username)
|
|
form.Set("password", "clientpwd")
|
|
form.Set(csrfFormToken, createCSRFToken(rr, req, server.csrfTokenAuth, "", webBaseClientPath))
|
|
req, _ = http.NewRequest(http.MethodPost, webClientLoginPath, bytes.NewBuffer([]byte(form.Encode())))
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
server.handleWebClientLoginPost(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
|
|
err = authenticateUserWithAPIKey(username, "", server.tokenAuth, req)
|
|
assert.Error(t, err)
|
|
|
|
err = dataprovider.DeleteUser(username, "", "", "")
|
|
assert.NoError(t, err)
|
|
err = os.RemoveAll(user.HomeDir)
|
|
assert.NoError(t, err)
|
|
|
|
admin.Username += "1"
|
|
admin.Status = 1
|
|
admin.Filters.AllowAPIKeyAuth = true
|
|
admin.Permissions = []string{dataprovider.PermAdminAny}
|
|
err = dataprovider.AddAdmin(&admin, "", "", "")
|
|
assert.NoError(t, err)
|
|
|
|
err = authenticateAdminWithAPIKey(admin.Username, "", server.tokenAuth, req)
|
|
assert.Error(t, err)
|
|
|
|
err = dataprovider.DeleteAdmin(admin.Username, "", "", "")
|
|
assert.NoError(t, err)
|
|
}
|
|
|
|
func TestAPIKeyAuthForbidden(t *testing.T) {
|
|
r := GetHTTPRouter(Binding{
|
|
Address: "",
|
|
Port: 8080,
|
|
EnableWebAdmin: true,
|
|
EnableWebClient: true,
|
|
EnableRESTAPI: true,
|
|
RenderOpenAPI: true,
|
|
})
|
|
fn := forbidAPIKeyAuthentication(r)
|
|
rr := httptest.NewRecorder()
|
|
req, _ := http.NewRequest(http.MethodGet, versionPath, nil)
|
|
fn.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "Invalid token claims")
|
|
}
|
|
|
|
func TestJWTTokenValidation(t *testing.T) {
|
|
tokenAuth := jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil)
|
|
claims := make(map[string]any)
|
|
claims["username"] = defaultAdminUsername
|
|
claims[jwt.ExpirationKey] = time.Now().UTC().Add(-1 * time.Hour)
|
|
token, _, err := tokenAuth.Encode(claims)
|
|
assert.NoError(t, err)
|
|
|
|
server := httpdServer{
|
|
binding: Binding{
|
|
Address: "",
|
|
Port: 8080,
|
|
EnableWebAdmin: true,
|
|
EnableWebClient: true,
|
|
EnableRESTAPI: true,
|
|
RenderOpenAPI: true,
|
|
},
|
|
}
|
|
server.initializeRouter()
|
|
r := server.router
|
|
fn := jwtAuthenticatorAPI(r)
|
|
rr := httptest.NewRecorder()
|
|
req, _ := http.NewRequest(http.MethodGet, userPath, nil)
|
|
ctx := jwtauth.NewContext(req.Context(), token, nil)
|
|
fn.ServeHTTP(rr, req.WithContext(ctx))
|
|
assert.Equal(t, http.StatusUnauthorized, rr.Code)
|
|
|
|
fn = jwtAuthenticatorWebAdmin(r)
|
|
rr = httptest.NewRecorder()
|
|
req, _ = http.NewRequest(http.MethodGet, webUserPath, nil)
|
|
ctx = jwtauth.NewContext(req.Context(), token, nil)
|
|
fn.ServeHTTP(rr, req.WithContext(ctx))
|
|
assert.Equal(t, http.StatusFound, rr.Code)
|
|
assert.Equal(t, webAdminLoginPath, rr.Header().Get("Location"))
|
|
|
|
fn = jwtAuthenticatorWebClient(r)
|
|
rr = httptest.NewRecorder()
|
|
req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
|
|
ctx = jwtauth.NewContext(req.Context(), token, nil)
|
|
fn.ServeHTTP(rr, req.WithContext(ctx))
|
|
assert.Equal(t, http.StatusFound, rr.Code)
|
|
assert.Equal(t, webClientLoginPath, rr.Header().Get("Location"))
|
|
|
|
errTest := errors.New("test error")
|
|
permFn := server.checkPerm(dataprovider.PermAdminAny)
|
|
fn = permFn(r)
|
|
rr = httptest.NewRecorder()
|
|
req, _ = http.NewRequest(http.MethodGet, userPath, nil)
|
|
ctx = jwtauth.NewContext(req.Context(), token, errTest)
|
|
fn.ServeHTTP(rr, req.WithContext(ctx))
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
|
|
permFn = server.checkPerm(dataprovider.PermAdminAny)
|
|
fn = permFn(r)
|
|
rr = httptest.NewRecorder()
|
|
req, _ = http.NewRequest(http.MethodGet, webUserPath, nil)
|
|
req.RequestURI = webUserPath
|
|
ctx = jwtauth.NewContext(req.Context(), token, errTest)
|
|
fn.ServeHTTP(rr, req.WithContext(ctx))
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
|
|
permClientFn := server.checkHTTPUserPerm(sdk.WebClientPubKeyChangeDisabled)
|
|
fn = permClientFn(r)
|
|
rr = httptest.NewRecorder()
|
|
req, _ = http.NewRequest(http.MethodPost, webClientProfilePath, nil)
|
|
req.RequestURI = webClientProfilePath
|
|
ctx = jwtauth.NewContext(req.Context(), token, errTest)
|
|
fn.ServeHTTP(rr, req.WithContext(ctx))
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
|
|
rr = httptest.NewRecorder()
|
|
req, _ = http.NewRequest(http.MethodPost, userProfilePath, nil)
|
|
req.RequestURI = userProfilePath
|
|
ctx = jwtauth.NewContext(req.Context(), token, errTest)
|
|
fn.ServeHTTP(rr, req.WithContext(ctx))
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
|
|
fn = server.checkAuthRequirements(r)
|
|
rr = httptest.NewRecorder()
|
|
req, _ = http.NewRequest(http.MethodPost, webClientProfilePath, nil)
|
|
req.RequestURI = webClientProfilePath
|
|
ctx = jwtauth.NewContext(req.Context(), token, errTest)
|
|
fn.ServeHTTP(rr, req.WithContext(ctx))
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
|
|
fn = server.checkAuthRequirements(r)
|
|
rr = httptest.NewRecorder()
|
|
req, _ = http.NewRequest(http.MethodPost, webGroupsPath, nil)
|
|
req.RequestURI = webGroupsPath
|
|
ctx = jwtauth.NewContext(req.Context(), token, errTest)
|
|
fn.ServeHTTP(rr, req.WithContext(ctx))
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
|
|
rr = httptest.NewRecorder()
|
|
req, _ = http.NewRequest(http.MethodPost, userSharesPath, nil)
|
|
req.RequestURI = userSharesPath
|
|
ctx = jwtauth.NewContext(req.Context(), token, errTest)
|
|
fn.ServeHTTP(rr, req.WithContext(ctx))
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
}
|
|
|
|
func TestUpdateContextFromCookie(t *testing.T) {
|
|
server := httpdServer{
|
|
tokenAuth: jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil),
|
|
}
|
|
req, _ := http.NewRequest(http.MethodGet, tokenPath, nil)
|
|
claims := make(map[string]any)
|
|
claims["a"] = "b"
|
|
token, _, err := server.tokenAuth.Encode(claims)
|
|
assert.NoError(t, err)
|
|
|
|
ctx := jwtauth.NewContext(req.Context(), token, nil)
|
|
server.updateContextFromCookie(req.WithContext(ctx))
|
|
}
|
|
|
|
func TestCookieExpiration(t *testing.T) {
|
|
server := httpdServer{
|
|
tokenAuth: jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil),
|
|
}
|
|
err := errors.New("test error")
|
|
rr := httptest.NewRecorder()
|
|
req, _ := http.NewRequest(http.MethodGet, tokenPath, nil)
|
|
ctx := jwtauth.NewContext(req.Context(), nil, err)
|
|
server.checkCookieExpiration(rr, req.WithContext(ctx))
|
|
cookie := rr.Header().Get("Set-Cookie")
|
|
assert.Empty(t, cookie)
|
|
|
|
req, _ = http.NewRequest(http.MethodGet, tokenPath, nil)
|
|
claims := make(map[string]any)
|
|
claims["a"] = "b"
|
|
token, _, err := server.tokenAuth.Encode(claims)
|
|
assert.NoError(t, err)
|
|
ctx = jwtauth.NewContext(req.Context(), token, nil)
|
|
server.checkCookieExpiration(rr, req.WithContext(ctx))
|
|
cookie = rr.Header().Get("Set-Cookie")
|
|
assert.Empty(t, cookie)
|
|
|
|
admin := dataprovider.Admin{
|
|
Username: "newtestadmin",
|
|
Password: "password",
|
|
Permissions: []string{dataprovider.PermAdminAny},
|
|
}
|
|
claims = make(map[string]any)
|
|
claims[claimUsernameKey] = admin.Username
|
|
claims[claimPermissionsKey] = admin.Permissions
|
|
claims[jwt.JwtIDKey] = xid.New().String()
|
|
claims[jwt.SubjectKey] = admin.GetSignature()
|
|
claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute)
|
|
claims[jwt.AudienceKey] = []string{tokenAudienceAPI}
|
|
token, _, err = server.tokenAuth.Encode(claims)
|
|
assert.NoError(t, err)
|
|
req, _ = http.NewRequest(http.MethodGet, tokenPath, nil)
|
|
ctx = jwtauth.NewContext(req.Context(), token, nil)
|
|
server.checkCookieExpiration(rr, req.WithContext(ctx))
|
|
cookie = rr.Header().Get("Set-Cookie")
|
|
assert.Empty(t, cookie)
|
|
|
|
admin.Status = 0
|
|
err = dataprovider.AddAdmin(&admin, "", "", "")
|
|
assert.NoError(t, err)
|
|
req, _ = http.NewRequest(http.MethodGet, tokenPath, nil)
|
|
ctx = jwtauth.NewContext(req.Context(), token, nil)
|
|
server.checkCookieExpiration(rr, req.WithContext(ctx))
|
|
cookie = rr.Header().Get("Set-Cookie")
|
|
assert.Empty(t, cookie)
|
|
|
|
admin.Status = 1
|
|
admin.Filters.AllowList = []string{"172.16.1.0/24"}
|
|
err = dataprovider.UpdateAdmin(&admin, "", "", "")
|
|
assert.NoError(t, err)
|
|
req, _ = http.NewRequest(http.MethodGet, tokenPath, nil)
|
|
ctx = jwtauth.NewContext(req.Context(), token, nil)
|
|
server.checkCookieExpiration(rr, req.WithContext(ctx))
|
|
cookie = rr.Header().Get("Set-Cookie")
|
|
assert.Empty(t, cookie)
|
|
|
|
admin, err = dataprovider.AdminExists(admin.Username)
|
|
assert.NoError(t, err)
|
|
tokenID := xid.New().String()
|
|
claims = make(map[string]any)
|
|
claims[claimUsernameKey] = admin.Username
|
|
claims[claimPermissionsKey] = admin.Permissions
|
|
claims[jwt.JwtIDKey] = tokenID
|
|
claims[jwt.SubjectKey] = admin.GetSignature()
|
|
claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute)
|
|
claims[jwt.AudienceKey] = []string{tokenAudienceAPI}
|
|
token, _, err = server.tokenAuth.Encode(claims)
|
|
assert.NoError(t, err)
|
|
req, _ = http.NewRequest(http.MethodGet, tokenPath, nil)
|
|
req.RemoteAddr = "192.168.8.1:1234"
|
|
ctx = jwtauth.NewContext(req.Context(), token, nil)
|
|
server.checkCookieExpiration(rr, req.WithContext(ctx))
|
|
cookie = rr.Header().Get("Set-Cookie")
|
|
assert.Empty(t, cookie)
|
|
|
|
req, _ = http.NewRequest(http.MethodGet, tokenPath, nil)
|
|
req.RemoteAddr = "172.16.1.12:4567"
|
|
ctx = jwtauth.NewContext(req.Context(), token, nil)
|
|
server.checkCookieExpiration(rr, req.WithContext(ctx))
|
|
cookie = rr.Header().Get("Set-Cookie")
|
|
assert.True(t, strings.HasPrefix(cookie, "jwt="))
|
|
req.Header.Set("Cookie", cookie)
|
|
token, err = jwtauth.VerifyRequest(server.tokenAuth, req, jwtauth.TokenFromCookie)
|
|
if assert.NoError(t, err) {
|
|
assert.Equal(t, tokenID, token.JwtID())
|
|
}
|
|
|
|
err = dataprovider.DeleteAdmin(admin.Username, "", "", "")
|
|
assert.NoError(t, err)
|
|
// now check client cookie expiration
|
|
username := "client"
|
|
user := dataprovider.User{
|
|
BaseUser: sdk.BaseUser{
|
|
Username: username,
|
|
Password: "clientpwd",
|
|
HomeDir: filepath.Join(os.TempDir(), username),
|
|
Status: 1,
|
|
Description: "test user",
|
|
},
|
|
}
|
|
user.Permissions = make(map[string][]string)
|
|
user.Permissions["/"] = []string{"*"}
|
|
|
|
claims = make(map[string]any)
|
|
claims[claimUsernameKey] = user.Username
|
|
claims[claimPermissionsKey] = user.Filters.WebClient
|
|
claims[jwt.JwtIDKey] = tokenID
|
|
claims[jwt.SubjectKey] = user.GetSignature()
|
|
claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute)
|
|
claims[jwt.AudienceKey] = []string{tokenAudienceWebClient}
|
|
token, _, err = server.tokenAuth.Encode(claims)
|
|
assert.NoError(t, err)
|
|
|
|
rr = httptest.NewRecorder()
|
|
req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
|
|
ctx = jwtauth.NewContext(req.Context(), token, nil)
|
|
server.checkCookieExpiration(rr, req.WithContext(ctx))
|
|
cookie = rr.Header().Get("Set-Cookie")
|
|
assert.Empty(t, cookie)
|
|
// the password will be hashed and so the signature will change
|
|
err = dataprovider.AddUser(&user, "", "", "")
|
|
assert.NoError(t, err)
|
|
req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
|
|
ctx = jwtauth.NewContext(req.Context(), token, nil)
|
|
server.checkCookieExpiration(rr, req.WithContext(ctx))
|
|
cookie = rr.Header().Get("Set-Cookie")
|
|
assert.Empty(t, cookie)
|
|
|
|
user, err = dataprovider.UserExists(user.Username, "")
|
|
assert.NoError(t, err)
|
|
user.Filters.AllowedIP = []string{"172.16.4.0/24"}
|
|
err = dataprovider.UpdateUser(&user, "", "", "")
|
|
assert.NoError(t, err)
|
|
|
|
user, err = dataprovider.UserExists(user.Username, "")
|
|
assert.NoError(t, err)
|
|
claims = make(map[string]any)
|
|
claims[claimUsernameKey] = user.Username
|
|
claims[claimPermissionsKey] = user.Filters.WebClient
|
|
claims[jwt.JwtIDKey] = tokenID
|
|
claims[jwt.SubjectKey] = user.GetSignature()
|
|
claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute)
|
|
claims[jwt.AudienceKey] = []string{tokenAudienceWebClient}
|
|
token, _, err = server.tokenAuth.Encode(claims)
|
|
assert.NoError(t, err)
|
|
|
|
req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
|
|
req.RemoteAddr = "172.16.3.12:4567"
|
|
ctx = jwtauth.NewContext(req.Context(), token, nil)
|
|
server.checkCookieExpiration(rr, req.WithContext(ctx))
|
|
cookie = rr.Header().Get("Set-Cookie")
|
|
assert.Empty(t, cookie)
|
|
|
|
req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
|
|
req.RemoteAddr = "172.16.4.16:4567"
|
|
ctx = jwtauth.NewContext(req.Context(), token, nil)
|
|
server.checkCookieExpiration(rr, req.WithContext(ctx))
|
|
cookie = rr.Header().Get("Set-Cookie")
|
|
assert.NotEmpty(t, cookie)
|
|
req.Header.Set("Cookie", cookie)
|
|
token, err = jwtauth.VerifyRequest(server.tokenAuth, req, jwtauth.TokenFromCookie)
|
|
if assert.NoError(t, err) {
|
|
assert.Equal(t, tokenID, token.JwtID())
|
|
}
|
|
|
|
// test a disabled user
|
|
user.Status = 0
|
|
err = dataprovider.UpdateUser(&user, "", "", "")
|
|
assert.NoError(t, err)
|
|
user, err = dataprovider.UserExists(user.Username, "")
|
|
assert.NoError(t, err)
|
|
|
|
claims = make(map[string]any)
|
|
claims[claimUsernameKey] = user.Username
|
|
claims[claimPermissionsKey] = user.Filters.WebClient
|
|
claims[jwt.JwtIDKey] = tokenID
|
|
claims[jwt.SubjectKey] = user.GetSignature()
|
|
claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute)
|
|
claims[jwt.AudienceKey] = []string{tokenAudienceWebClient}
|
|
token, _, err = server.tokenAuth.Encode(claims)
|
|
assert.NoError(t, err)
|
|
|
|
rr = httptest.NewRecorder()
|
|
req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
|
|
ctx = jwtauth.NewContext(req.Context(), token, nil)
|
|
server.checkCookieExpiration(rr, req.WithContext(ctx))
|
|
cookie = rr.Header().Get("Set-Cookie")
|
|
assert.Empty(t, cookie)
|
|
|
|
err = dataprovider.DeleteUser(user.Username, "", "", "")
|
|
assert.NoError(t, err)
|
|
}
|
|
|
|
func TestGetURLParam(t *testing.T) {
|
|
req, _ := http.NewRequest(http.MethodGet, adminPwdPath, nil)
|
|
rctx := chi.NewRouteContext()
|
|
rctx.URLParams.Add("val", "testuser%C3%A0")
|
|
rctx.URLParams.Add("inval", "testuser%C3%AO%GG")
|
|
req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
|
|
escaped := getURLParam(req, "val")
|
|
assert.Equal(t, "testuserà", escaped)
|
|
escaped = getURLParam(req, "inval")
|
|
assert.Equal(t, "testuser%C3%AO%GG", escaped)
|
|
}
|
|
|
|
func TestChangePwdValidationErrors(t *testing.T) {
|
|
err := doChangeAdminPassword(nil, "", "", "")
|
|
require.Error(t, err)
|
|
err = doChangeAdminPassword(nil, "a", "b", "c")
|
|
require.Error(t, err)
|
|
err = doChangeAdminPassword(nil, "a", "a", "a")
|
|
require.Error(t, err)
|
|
|
|
req, _ := http.NewRequest(http.MethodPut, adminPwdPath, nil)
|
|
err = doChangeAdminPassword(req, "currentpwd", "newpwd", "newpwd")
|
|
assert.Error(t, err)
|
|
}
|
|
|
|
func TestRenderUnexistingFolder(t *testing.T) {
|
|
rr := httptest.NewRecorder()
|
|
req, _ := http.NewRequest(http.MethodPost, folderPath, nil)
|
|
renderFolder(rr, req, "path not mapped", &jwtTokenClaims{}, http.StatusOK)
|
|
assert.Equal(t, http.StatusNotFound, rr.Code)
|
|
}
|
|
|
|
func TestCloseConnectionHandler(t *testing.T) {
|
|
tokenAuth := jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil)
|
|
claims := make(map[string]any)
|
|
claims["username"] = defaultAdminUsername
|
|
claims[jwt.ExpirationKey] = time.Now().UTC().Add(1 * time.Hour)
|
|
token, _, err := tokenAuth.Encode(claims)
|
|
assert.NoError(t, err)
|
|
req, err := http.NewRequest(http.MethodDelete, activeConnectionsPath+"/connectionID", nil)
|
|
assert.NoError(t, err)
|
|
rctx := chi.NewRouteContext()
|
|
rctx.URLParams.Add("connectionID", "")
|
|
req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
|
|
req = req.WithContext(context.WithValue(req.Context(), jwtauth.TokenCtxKey, token))
|
|
rr := httptest.NewRecorder()
|
|
handleCloseConnection(rr, req)
|
|
assert.Equal(t, http.StatusBadRequest, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "connectionID is mandatory")
|
|
}
|
|
|
|
func TestRenderInvalidTemplate(t *testing.T) {
|
|
tmpl, err := template.New("test").Parse("{{.Count}}")
|
|
if assert.NoError(t, err) {
|
|
noMatchTmpl := "no_match"
|
|
adminTemplates[noMatchTmpl] = tmpl
|
|
rw := httptest.NewRecorder()
|
|
renderAdminTemplate(rw, noMatchTmpl, map[string]string{})
|
|
assert.Equal(t, http.StatusInternalServerError, rw.Code)
|
|
clientTemplates[noMatchTmpl] = tmpl
|
|
renderClientTemplate(rw, noMatchTmpl, map[string]string{})
|
|
assert.Equal(t, http.StatusInternalServerError, rw.Code)
|
|
}
|
|
}
|
|
|
|
func TestQuotaScanInvalidFs(t *testing.T) {
|
|
user := &dataprovider.User{
|
|
BaseUser: sdk.BaseUser{
|
|
Username: "test",
|
|
HomeDir: os.TempDir(),
|
|
},
|
|
FsConfig: vfs.Filesystem{
|
|
Provider: sdk.S3FilesystemProvider,
|
|
},
|
|
}
|
|
common.QuotaScans.AddUserQuotaScan(user.Username, "")
|
|
err := doUserQuotaScan(user)
|
|
assert.Error(t, err)
|
|
}
|
|
|
|
func TestVerifyTLSConnection(t *testing.T) {
|
|
oldCertMgr := certMgr
|
|
|
|
caCrlPath := filepath.Join(os.TempDir(), "testcrl.crt")
|
|
certPath := filepath.Join(os.TempDir(), "testh.crt")
|
|
keyPath := filepath.Join(os.TempDir(), "testh.key")
|
|
err := os.WriteFile(caCrlPath, []byte(caCRL), os.ModePerm)
|
|
assert.NoError(t, err)
|
|
err = os.WriteFile(certPath, []byte(httpdCert), os.ModePerm)
|
|
assert.NoError(t, err)
|
|
err = os.WriteFile(keyPath, []byte(httpdKey), os.ModePerm)
|
|
assert.NoError(t, err)
|
|
|
|
keyPairs := []common.TLSKeyPair{
|
|
{
|
|
Cert: certPath,
|
|
Key: keyPath,
|
|
ID: common.DefaultTLSKeyPaidID,
|
|
},
|
|
}
|
|
certMgr, err = common.NewCertManager(keyPairs, "", "httpd_test")
|
|
assert.NoError(t, err)
|
|
|
|
certMgr.SetCARevocationLists([]string{caCrlPath})
|
|
err = certMgr.LoadCRLs()
|
|
assert.NoError(t, err)
|
|
|
|
crt, err := tls.X509KeyPair([]byte(client1Crt), []byte(client1Key))
|
|
assert.NoError(t, err)
|
|
x509crt, err := x509.ParseCertificate(crt.Certificate[0])
|
|
assert.NoError(t, err)
|
|
|
|
server := httpdServer{}
|
|
state := tls.ConnectionState{
|
|
PeerCertificates: []*x509.Certificate{x509crt},
|
|
}
|
|
|
|
err = server.verifyTLSConnection(state)
|
|
assert.Error(t, err) // no verified certification chain
|
|
|
|
crt, err = tls.X509KeyPair([]byte(caCRT), []byte(caKey))
|
|
assert.NoError(t, err)
|
|
|
|
x509CAcrt, err := x509.ParseCertificate(crt.Certificate[0])
|
|
assert.NoError(t, err)
|
|
|
|
state.VerifiedChains = append(state.VerifiedChains, []*x509.Certificate{x509crt, x509CAcrt})
|
|
err = server.verifyTLSConnection(state)
|
|
assert.NoError(t, err)
|
|
|
|
crt, err = tls.X509KeyPair([]byte(client2Crt), []byte(client2Key))
|
|
assert.NoError(t, err)
|
|
x509crtRevoked, err := x509.ParseCertificate(crt.Certificate[0])
|
|
assert.NoError(t, err)
|
|
|
|
state.VerifiedChains = append(state.VerifiedChains, []*x509.Certificate{x509crtRevoked, x509CAcrt})
|
|
state.PeerCertificates = []*x509.Certificate{x509crtRevoked}
|
|
err = server.verifyTLSConnection(state)
|
|
assert.EqualError(t, err, common.ErrCrtRevoked.Error())
|
|
|
|
err = os.Remove(caCrlPath)
|
|
assert.NoError(t, err)
|
|
err = os.Remove(certPath)
|
|
assert.NoError(t, err)
|
|
err = os.Remove(keyPath)
|
|
assert.NoError(t, err)
|
|
|
|
certMgr = oldCertMgr
|
|
}
|
|
|
|
func TestGetFolderFromTemplate(t *testing.T) {
|
|
folder := vfs.BaseVirtualFolder{
|
|
MappedPath: "Folder%name%",
|
|
Description: "Folder %name% desc",
|
|
}
|
|
folderName := "folderTemplate"
|
|
folderTemplate := getFolderFromTemplate(folder, folderName)
|
|
require.Equal(t, folderName, folderTemplate.Name)
|
|
require.Equal(t, fmt.Sprintf("Folder%v", folderName), folderTemplate.MappedPath)
|
|
require.Equal(t, fmt.Sprintf("Folder %v desc", folderName), folderTemplate.Description)
|
|
|
|
folder.FsConfig.Provider = sdk.CryptedFilesystemProvider
|
|
folder.FsConfig.CryptConfig.Passphrase = kms.NewPlainSecret("%name%")
|
|
folderTemplate = getFolderFromTemplate(folder, folderName)
|
|
require.Equal(t, folderName, folderTemplate.FsConfig.CryptConfig.Passphrase.GetPayload())
|
|
|
|
folder.FsConfig.Provider = sdk.GCSFilesystemProvider
|
|
folder.FsConfig.GCSConfig.KeyPrefix = "prefix%name%/"
|
|
folderTemplate = getFolderFromTemplate(folder, folderName)
|
|
require.Equal(t, fmt.Sprintf("prefix%v/", folderName), folderTemplate.FsConfig.GCSConfig.KeyPrefix)
|
|
|
|
folder.FsConfig.Provider = sdk.AzureBlobFilesystemProvider
|
|
folder.FsConfig.AzBlobConfig.KeyPrefix = "a%name%"
|
|
folder.FsConfig.AzBlobConfig.AccountKey = kms.NewPlainSecret("pwd%name%")
|
|
folderTemplate = getFolderFromTemplate(folder, folderName)
|
|
require.Equal(t, "a"+folderName, folderTemplate.FsConfig.AzBlobConfig.KeyPrefix)
|
|
require.Equal(t, "pwd"+folderName, folderTemplate.FsConfig.AzBlobConfig.AccountKey.GetPayload())
|
|
|
|
folder.FsConfig.Provider = sdk.SFTPFilesystemProvider
|
|
folder.FsConfig.SFTPConfig.Prefix = "%name%"
|
|
folder.FsConfig.SFTPConfig.Username = "sftp_%name%"
|
|
folder.FsConfig.SFTPConfig.Password = kms.NewPlainSecret("sftp%name%")
|
|
folderTemplate = getFolderFromTemplate(folder, folderName)
|
|
require.Equal(t, folderName, folderTemplate.FsConfig.SFTPConfig.Prefix)
|
|
require.Equal(t, "sftp_"+folderName, folderTemplate.FsConfig.SFTPConfig.Username)
|
|
require.Equal(t, "sftp"+folderName, folderTemplate.FsConfig.SFTPConfig.Password.GetPayload())
|
|
}
|
|
|
|
func TestGetUserFromTemplate(t *testing.T) {
|
|
user := dataprovider.User{
|
|
BaseUser: sdk.BaseUser{
|
|
Status: 1,
|
|
},
|
|
}
|
|
user.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{
|
|
BaseVirtualFolder: vfs.BaseVirtualFolder{
|
|
Name: "Folder%username%",
|
|
},
|
|
})
|
|
|
|
username := "userTemplate"
|
|
password := "pwdTemplate"
|
|
templateFields := userTemplateFields{
|
|
Username: username,
|
|
Password: password,
|
|
}
|
|
|
|
userTemplate := getUserFromTemplate(user, templateFields)
|
|
require.Len(t, userTemplate.VirtualFolders, 1)
|
|
require.Equal(t, "Folder"+username, userTemplate.VirtualFolders[0].Name)
|
|
|
|
user.FsConfig.Provider = sdk.CryptedFilesystemProvider
|
|
user.FsConfig.CryptConfig.Passphrase = kms.NewPlainSecret("%password%")
|
|
userTemplate = getUserFromTemplate(user, templateFields)
|
|
require.Equal(t, password, userTemplate.FsConfig.CryptConfig.Passphrase.GetPayload())
|
|
|
|
user.FsConfig.Provider = sdk.GCSFilesystemProvider
|
|
user.FsConfig.GCSConfig.KeyPrefix = "%username%%password%"
|
|
userTemplate = getUserFromTemplate(user, templateFields)
|
|
require.Equal(t, username+password, userTemplate.FsConfig.GCSConfig.KeyPrefix)
|
|
|
|
user.FsConfig.Provider = sdk.AzureBlobFilesystemProvider
|
|
user.FsConfig.AzBlobConfig.KeyPrefix = "a%username%"
|
|
user.FsConfig.AzBlobConfig.AccountKey = kms.NewPlainSecret("pwd%password%%username%")
|
|
userTemplate = getUserFromTemplate(user, templateFields)
|
|
require.Equal(t, "a"+username, userTemplate.FsConfig.AzBlobConfig.KeyPrefix)
|
|
require.Equal(t, "pwd"+password+username, userTemplate.FsConfig.AzBlobConfig.AccountKey.GetPayload())
|
|
|
|
user.FsConfig.Provider = sdk.SFTPFilesystemProvider
|
|
user.FsConfig.SFTPConfig.Prefix = "%username%"
|
|
user.FsConfig.SFTPConfig.Username = "sftp_%username%"
|
|
user.FsConfig.SFTPConfig.Password = kms.NewPlainSecret("sftp%password%")
|
|
userTemplate = getUserFromTemplate(user, templateFields)
|
|
require.Equal(t, username, userTemplate.FsConfig.SFTPConfig.Prefix)
|
|
require.Equal(t, "sftp_"+username, userTemplate.FsConfig.SFTPConfig.Username)
|
|
require.Equal(t, "sftp"+password, userTemplate.FsConfig.SFTPConfig.Password.GetPayload())
|
|
}
|
|
|
|
func TestJWTTokenCleanup(t *testing.T) {
|
|
server := httpdServer{
|
|
tokenAuth: jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil),
|
|
}
|
|
admin := dataprovider.Admin{
|
|
Username: "newtestadmin",
|
|
Password: "password",
|
|
Permissions: []string{dataprovider.PermAdminAny},
|
|
}
|
|
claims := make(map[string]any)
|
|
claims[claimUsernameKey] = admin.Username
|
|
claims[claimPermissionsKey] = admin.Permissions
|
|
claims[jwt.SubjectKey] = admin.GetSignature()
|
|
claims[jwt.ExpirationKey] = time.Now().Add(1 * time.Minute)
|
|
_, token, err := server.tokenAuth.Encode(claims)
|
|
assert.NoError(t, err)
|
|
|
|
req, _ := http.NewRequest(http.MethodGet, versionPath, nil)
|
|
assert.True(t, isTokenInvalidated(req))
|
|
|
|
req.Header.Set("Authorization", fmt.Sprintf("Bearer %v", token))
|
|
|
|
invalidatedJWTTokens.Add(token, time.Now().Add(-tokenDuration).UTC())
|
|
require.True(t, isTokenInvalidated(req))
|
|
startCleanupTicker(100 * time.Millisecond)
|
|
assert.Eventually(t, func() bool { return !isTokenInvalidated(req) }, 1*time.Second, 200*time.Millisecond)
|
|
stopCleanupTicker()
|
|
}
|
|
|
|
func TestDbTokenManager(t *testing.T) {
|
|
if !isSharedProviderSupported() {
|
|
t.Skip("this test it is not available with this provider")
|
|
}
|
|
mgr := newTokenManager(1)
|
|
dbTokenManager := mgr.(*dbTokenManager)
|
|
testToken := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsiV2ViQWRtaW4iLCI6OjEiXSwiZXhwIjoxNjk4NjYwMDM4LCJqdGkiOiJja3ZuazVrYjF1aHUzZXRmZmhyZyIsIm5iZiI6MTY5ODY1ODgwOCwicGVybWlzc2lvbnMiOlsiKiJdLCJzdWIiOiIxNjk3ODIwNDM3NTMyIiwidXNlcm5hbWUiOiJhZG1pbiJ9.LXuFFksvnSuzHqHat6r70yR0jEulNRju7m7SaWrOfy8; csrftoken=mP0C7DqjwpAXsptO2gGCaYBkYw3oNMWB"
|
|
key := dbTokenManager.getKey(testToken)
|
|
require.Len(t, key, 64)
|
|
dbTokenManager.Add(testToken, time.Now().Add(-tokenDuration).UTC())
|
|
isInvalidated := dbTokenManager.Get(testToken)
|
|
assert.True(t, isInvalidated)
|
|
dbTokenManager.Cleanup()
|
|
isInvalidated = dbTokenManager.Get(testToken)
|
|
assert.False(t, isInvalidated)
|
|
dbTokenManager.Add(testToken, time.Now().Add(tokenDuration).UTC())
|
|
isInvalidated = dbTokenManager.Get(testToken)
|
|
assert.True(t, isInvalidated)
|
|
dbTokenManager.Cleanup()
|
|
isInvalidated = dbTokenManager.Get(testToken)
|
|
assert.True(t, isInvalidated)
|
|
err := dataprovider.DeleteSharedSession(key)
|
|
assert.NoError(t, err)
|
|
}
|
|
|
|
func TestAllowedProxyUnixDomainSocket(t *testing.T) {
|
|
b := Binding{
|
|
Address: filepath.Join(os.TempDir(), "sock"),
|
|
ProxyAllowed: []string{"127.0.0.1", "127.0.1.1"},
|
|
}
|
|
err := b.parseAllowedProxy()
|
|
assert.NoError(t, err)
|
|
if assert.Len(t, b.allowHeadersFrom, 1) {
|
|
assert.True(t, b.allowHeadersFrom[0](nil))
|
|
}
|
|
}
|
|
|
|
func TestProxyListenerWrapper(t *testing.T) {
|
|
b := Binding{
|
|
ProxyMode: 0,
|
|
}
|
|
require.Nil(t, b.listenerWrapper())
|
|
b.ProxyMode = 1
|
|
require.NotNil(t, b.listenerWrapper())
|
|
}
|
|
|
|
func TestProxyHeaders(t *testing.T) {
|
|
username := "adminTest"
|
|
password := "testPwd"
|
|
admin := dataprovider.Admin{
|
|
Username: username,
|
|
Password: password,
|
|
Permissions: []string{dataprovider.PermAdminAny},
|
|
Status: 1,
|
|
Filters: dataprovider.AdminFilters{
|
|
AllowList: []string{"172.19.2.0/24"},
|
|
},
|
|
}
|
|
|
|
err := dataprovider.AddAdmin(&admin, "", "", "")
|
|
assert.NoError(t, err)
|
|
|
|
testIP := "10.29.1.9"
|
|
validForwardedFor := "172.19.2.6"
|
|
b := Binding{
|
|
Address: "",
|
|
Port: 8080,
|
|
EnableWebAdmin: true,
|
|
EnableWebClient: false,
|
|
EnableRESTAPI: true,
|
|
ProxyAllowed: []string{testIP, "10.8.0.0/30"},
|
|
ClientIPProxyHeader: "x-forwarded-for",
|
|
}
|
|
err = b.parseAllowedProxy()
|
|
assert.NoError(t, err)
|
|
server := newHttpdServer(b, "", "", CorsConfig{Enabled: true}, "")
|
|
server.initializeRouter()
|
|
testServer := httptest.NewServer(server.router)
|
|
defer testServer.Close()
|
|
|
|
req, err := http.NewRequest(http.MethodGet, tokenPath, nil)
|
|
assert.NoError(t, err)
|
|
req.Header.Set("X-Forwarded-For", validForwardedFor)
|
|
req.Header.Set(xForwardedProto, "https")
|
|
req.RemoteAddr = "127.0.0.1:123"
|
|
req.SetBasicAuth(username, password)
|
|
rr := httptest.NewRecorder()
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusUnauthorized, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), "login from IP 127.0.0.1 not allowed")
|
|
|
|
req.RemoteAddr = testIP
|
|
rr = httptest.NewRecorder()
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
|
|
req.RemoteAddr = "10.8.0.2"
|
|
rr = httptest.NewRecorder()
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
|
|
req, err = http.NewRequest(http.MethodGet, webAdminLoginPath, nil)
|
|
assert.NoError(t, err)
|
|
req.RemoteAddr = testIP
|
|
rr = httptest.NewRecorder()
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
cookie := rr.Header().Get("Set-Cookie")
|
|
assert.NotEmpty(t, cookie)
|
|
req.Header.Set("Cookie", cookie)
|
|
parsedToken, err := jwtauth.VerifyRequest(server.csrfTokenAuth, req, jwtauth.TokenFromCookie)
|
|
assert.NoError(t, err)
|
|
ctx := req.Context()
|
|
ctx = jwtauth.NewContext(ctx, parsedToken, err)
|
|
req = req.WithContext(ctx)
|
|
|
|
form := make(url.Values)
|
|
form.Set("username", username)
|
|
form.Set("password", password)
|
|
form.Set(csrfFormToken, createCSRFToken(httptest.NewRecorder(), req, server.csrfTokenAuth, "", webBaseAdminPath))
|
|
req, err = http.NewRequest(http.MethodPost, webAdminLoginPath, bytes.NewBuffer([]byte(form.Encode())))
|
|
assert.NoError(t, err)
|
|
req.RemoteAddr = testIP
|
|
req.Header.Set("Cookie", cookie)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
rr = httptest.NewRecorder()
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCredentials)
|
|
|
|
req, err = http.NewRequest(http.MethodGet, webAdminLoginPath, nil)
|
|
assert.NoError(t, err)
|
|
req.RemoteAddr = validForwardedFor
|
|
rr = httptest.NewRecorder()
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
loginCookie := rr.Header().Get("Set-Cookie")
|
|
assert.NotEmpty(t, loginCookie)
|
|
req.Header.Set("Cookie", loginCookie)
|
|
parsedToken, err = jwtauth.VerifyRequest(server.csrfTokenAuth, req, jwtauth.TokenFromCookie)
|
|
assert.NoError(t, err)
|
|
ctx = req.Context()
|
|
ctx = jwtauth.NewContext(ctx, parsedToken, err)
|
|
req = req.WithContext(ctx)
|
|
|
|
form.Set(csrfFormToken, createCSRFToken(httptest.NewRecorder(), req, server.csrfTokenAuth, "", webBaseAdminPath))
|
|
req, err = http.NewRequest(http.MethodPost, webAdminLoginPath, bytes.NewBuffer([]byte(form.Encode())))
|
|
assert.NoError(t, err)
|
|
req.RemoteAddr = testIP
|
|
req.Header.Set("Cookie", loginCookie)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
req.Header.Set("X-Forwarded-For", validForwardedFor)
|
|
rr = httptest.NewRecorder()
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusFound, rr.Code, rr.Body.String())
|
|
cookie = rr.Header().Get("Set-Cookie")
|
|
assert.NotContains(t, cookie, "Secure")
|
|
|
|
// The login cookie is invalidated after a successful login, the same request will fail
|
|
req, err = http.NewRequest(http.MethodPost, webAdminLoginPath, bytes.NewBuffer([]byte(form.Encode())))
|
|
assert.NoError(t, err)
|
|
req.RemoteAddr = testIP
|
|
req.Header.Set("Cookie", loginCookie)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
req.Header.Set("X-Forwarded-For", validForwardedFor)
|
|
rr = httptest.NewRecorder()
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidCSRF)
|
|
|
|
req, err = http.NewRequest(http.MethodGet, webAdminLoginPath, nil)
|
|
assert.NoError(t, err)
|
|
req.RemoteAddr = validForwardedFor
|
|
rr = httptest.NewRecorder()
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
loginCookie = rr.Header().Get("Set-Cookie")
|
|
assert.NotEmpty(t, loginCookie)
|
|
req.Header.Set("Cookie", loginCookie)
|
|
parsedToken, err = jwtauth.VerifyRequest(server.csrfTokenAuth, req, jwtauth.TokenFromCookie)
|
|
assert.NoError(t, err)
|
|
ctx = req.Context()
|
|
ctx = jwtauth.NewContext(ctx, parsedToken, err)
|
|
req = req.WithContext(ctx)
|
|
|
|
form.Set(csrfFormToken, createCSRFToken(httptest.NewRecorder(), req, server.csrfTokenAuth, "", webBaseAdminPath))
|
|
req, err = http.NewRequest(http.MethodPost, webAdminLoginPath, bytes.NewBuffer([]byte(form.Encode())))
|
|
assert.NoError(t, err)
|
|
req.RemoteAddr = testIP
|
|
req.Header.Set("Cookie", loginCookie)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
req.Header.Set("X-Forwarded-For", validForwardedFor)
|
|
req.Header.Set(xForwardedProto, "https")
|
|
rr = httptest.NewRecorder()
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusFound, rr.Code, rr.Body.String())
|
|
cookie = rr.Header().Get("Set-Cookie")
|
|
assert.Contains(t, cookie, "Secure")
|
|
|
|
req, err = http.NewRequest(http.MethodGet, webAdminLoginPath, nil)
|
|
assert.NoError(t, err)
|
|
req.RemoteAddr = validForwardedFor
|
|
rr = httptest.NewRecorder()
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
loginCookie = rr.Header().Get("Set-Cookie")
|
|
assert.NotEmpty(t, loginCookie)
|
|
req.Header.Set("Cookie", loginCookie)
|
|
parsedToken, err = jwtauth.VerifyRequest(server.csrfTokenAuth, req, jwtauth.TokenFromCookie)
|
|
assert.NoError(t, err)
|
|
ctx = req.Context()
|
|
ctx = jwtauth.NewContext(ctx, parsedToken, err)
|
|
req = req.WithContext(ctx)
|
|
|
|
form.Set(csrfFormToken, createCSRFToken(httptest.NewRecorder(), req, server.csrfTokenAuth, "", webBaseAdminPath))
|
|
req, err = http.NewRequest(http.MethodPost, webAdminLoginPath, bytes.NewBuffer([]byte(form.Encode())))
|
|
assert.NoError(t, err)
|
|
req.RemoteAddr = testIP
|
|
req.Header.Set("Cookie", loginCookie)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
req.Header.Set("X-Forwarded-For", validForwardedFor)
|
|
req.Header.Set(xForwardedProto, "http")
|
|
rr = httptest.NewRecorder()
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusFound, rr.Code, rr.Body.String())
|
|
cookie = rr.Header().Get("Set-Cookie")
|
|
assert.NotContains(t, cookie, "Secure")
|
|
|
|
err = dataprovider.DeleteAdmin(username, "", "", "")
|
|
assert.NoError(t, err)
|
|
}
|
|
|
|
func TestRecoverer(t *testing.T) {
|
|
recoveryPath := "/recovery"
|
|
b := Binding{
|
|
Address: "",
|
|
Port: 8080,
|
|
EnableWebAdmin: true,
|
|
EnableWebClient: false,
|
|
EnableRESTAPI: true,
|
|
}
|
|
server := newHttpdServer(b, "../static", "", CorsConfig{}, "../openapi")
|
|
server.initializeRouter()
|
|
server.router.Get(recoveryPath, func(_ http.ResponseWriter, _ *http.Request) {
|
|
panic("panic")
|
|
})
|
|
testServer := httptest.NewServer(server.router)
|
|
defer testServer.Close()
|
|
|
|
req, err := http.NewRequest(http.MethodGet, recoveryPath, nil)
|
|
assert.NoError(t, err)
|
|
rr := httptest.NewRecorder()
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String())
|
|
|
|
server.router = chi.NewRouter()
|
|
server.router.Use(middleware.Recoverer)
|
|
server.router.Get(recoveryPath, func(_ http.ResponseWriter, _ *http.Request) {
|
|
panic("panic")
|
|
})
|
|
testServer = httptest.NewServer(server.router)
|
|
defer testServer.Close()
|
|
|
|
req, err = http.NewRequest(http.MethodGet, recoveryPath, nil)
|
|
assert.NoError(t, err)
|
|
rr = httptest.NewRecorder()
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String())
|
|
}
|
|
|
|
func TestStreamJSONArray(t *testing.T) {
|
|
dataGetter := func(_, _ int) ([]byte, int, error) {
|
|
return nil, 0, nil
|
|
}
|
|
rr := httptest.NewRecorder()
|
|
streamJSONArray(rr, 10, dataGetter)
|
|
assert.Equal(t, `[]`, rr.Body.String())
|
|
|
|
data := []int{}
|
|
for i := 0; i < 10; i++ {
|
|
data = append(data, i)
|
|
}
|
|
|
|
dataGetter = func(_, offset int) ([]byte, int, error) {
|
|
if offset >= len(data) {
|
|
return nil, 0, nil
|
|
}
|
|
val := data[offset]
|
|
data, err := json.Marshal([]int{val})
|
|
return data, 1, err
|
|
}
|
|
|
|
rr = httptest.NewRecorder()
|
|
streamJSONArray(rr, 1, dataGetter)
|
|
assert.Equal(t, `[0,1,2,3,4,5,6,7,8,9]`, rr.Body.String())
|
|
}
|
|
|
|
func TestCompressorAbortHandler(t *testing.T) {
|
|
defer func() {
|
|
rcv := recover()
|
|
assert.Equal(t, http.ErrAbortHandler, rcv)
|
|
}()
|
|
|
|
connection := &Connection{
|
|
BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", dataprovider.User{}),
|
|
request: nil,
|
|
}
|
|
share := &dataprovider.Share{}
|
|
renderCompressedFiles(&failingWriter{}, connection, "", nil, share)
|
|
}
|
|
|
|
func TestStreamDataAbortHandler(t *testing.T) {
|
|
defer func() {
|
|
rcv := recover()
|
|
assert.Equal(t, http.ErrAbortHandler, rcv)
|
|
}()
|
|
|
|
streamData(&failingWriter{}, []byte(`["a":"b"]`))
|
|
}
|
|
|
|
func TestZipErrors(t *testing.T) {
|
|
user := dataprovider.User{
|
|
BaseUser: sdk.BaseUser{
|
|
HomeDir: filepath.Clean(os.TempDir()),
|
|
},
|
|
}
|
|
user.Permissions = make(map[string][]string)
|
|
user.Permissions["/"] = []string{dataprovider.PermAny}
|
|
connection := &Connection{
|
|
BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", user),
|
|
request: nil,
|
|
}
|
|
|
|
testDir := filepath.Join(os.TempDir(), "testDir")
|
|
err := os.MkdirAll(testDir, os.ModePerm)
|
|
assert.NoError(t, err)
|
|
|
|
wr := zip.NewWriter(&failingWriter{})
|
|
err = wr.Close()
|
|
if assert.Error(t, err) {
|
|
assert.Contains(t, err.Error(), "write error")
|
|
}
|
|
|
|
err = addZipEntry(wr, connection, "/"+filepath.Base(testDir), "/", 0)
|
|
if assert.Error(t, err) {
|
|
assert.Contains(t, err.Error(), "write error")
|
|
}
|
|
err = addZipEntry(wr, connection, "/"+filepath.Base(testDir), "/", 2000)
|
|
assert.ErrorIs(t, err, util.ErrRecursionTooDeep)
|
|
|
|
err = addZipEntry(wr, connection, "/"+filepath.Base(testDir), path.Join("/", filepath.Base(testDir), "dir"), 0)
|
|
if assert.Error(t, err) {
|
|
assert.Contains(t, err.Error(), "is outside base dir")
|
|
}
|
|
|
|
testFilePath := filepath.Join(testDir, "ziptest.zip")
|
|
err = os.WriteFile(testFilePath, util.GenerateRandomBytes(65535), os.ModePerm)
|
|
assert.NoError(t, err)
|
|
err = addZipEntry(wr, connection, path.Join("/", filepath.Base(testDir), filepath.Base(testFilePath)),
|
|
"/"+filepath.Base(testDir), 0)
|
|
if assert.Error(t, err) {
|
|
assert.Contains(t, err.Error(), "write error")
|
|
}
|
|
|
|
connection.User.Permissions["/"] = []string{dataprovider.PermListItems}
|
|
err = addZipEntry(wr, connection, path.Join("/", filepath.Base(testDir), filepath.Base(testFilePath)),
|
|
"/"+filepath.Base(testDir), 0)
|
|
assert.ErrorIs(t, err, os.ErrPermission)
|
|
|
|
// creating a virtual folder to a missing path stat is ok but readdir fails
|
|
user.VirtualFolders = append(user.VirtualFolders, vfs.VirtualFolder{
|
|
BaseVirtualFolder: vfs.BaseVirtualFolder{
|
|
MappedPath: filepath.Join(os.TempDir(), "mapped"),
|
|
},
|
|
VirtualPath: "/vpath",
|
|
})
|
|
connection.User = user
|
|
wr = zip.NewWriter(bytes.NewBuffer(make([]byte, 0)))
|
|
err = addZipEntry(wr, connection, user.VirtualFolders[0].VirtualPath, "/", 0)
|
|
assert.Error(t, err)
|
|
|
|
user.Filters.FilePatterns = append(user.Filters.FilePatterns, sdk.PatternsFilter{
|
|
Path: "/",
|
|
DeniedPatterns: []string{"*.zip"},
|
|
})
|
|
err = addZipEntry(wr, connection, "/"+filepath.Base(testDir), "/", 0)
|
|
assert.ErrorIs(t, err, os.ErrPermission)
|
|
|
|
err = os.RemoveAll(testDir)
|
|
assert.NoError(t, err)
|
|
}
|
|
|
|
func TestWebAdminRedirect(t *testing.T) {
|
|
b := Binding{
|
|
Address: "",
|
|
Port: 8080,
|
|
EnableWebAdmin: true,
|
|
EnableWebClient: false,
|
|
EnableRESTAPI: true,
|
|
}
|
|
server := newHttpdServer(b, "../static", "", CorsConfig{}, "../openapi")
|
|
server.initializeRouter()
|
|
testServer := httptest.NewServer(server.router)
|
|
defer testServer.Close()
|
|
|
|
req, err := http.NewRequest(http.MethodGet, webRootPath, nil)
|
|
assert.NoError(t, err)
|
|
rr := httptest.NewRecorder()
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusFound, rr.Code, rr.Body.String())
|
|
assert.Equal(t, webAdminLoginPath, rr.Header().Get("Location"))
|
|
|
|
req, err = http.NewRequest(http.MethodGet, webBasePath, nil)
|
|
assert.NoError(t, err)
|
|
rr = httptest.NewRecorder()
|
|
testServer.Config.Handler.ServeHTTP(rr, req)
|
|
assert.Equal(t, http.StatusFound, rr.Code, rr.Body.String())
|
|
assert.Equal(t, webAdminLoginPath, rr.Header().Get("Location"))
|
|
}
|
|
|
|
func TestParseRangeRequests(t *testing.T) {
|
|
// curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=24-24"
|
|
fileSize := int64(169740)
|
|
rangeHeader := "bytes=24-24"
|
|
offset, size, err := parseRangeRequest(rangeHeader[6:], fileSize)
|
|
require.NoError(t, err)
|
|
resp := fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
|
|
assert.Equal(t, "bytes 24-24/169740", resp)
|
|
require.Equal(t, int64(1), size)
|
|
// curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=24-"
|
|
rangeHeader = "bytes=24-"
|
|
offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
|
|
require.NoError(t, err)
|
|
resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
|
|
assert.Equal(t, "bytes 24-169739/169740", resp)
|
|
require.Equal(t, int64(169716), size)
|
|
// curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=-1"
|
|
rangeHeader = "bytes=-1"
|
|
offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
|
|
require.NoError(t, err)
|
|
resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
|
|
assert.Equal(t, "bytes 169739-169739/169740", resp)
|
|
require.Equal(t, int64(1), size)
|
|
// curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=-100"
|
|
rangeHeader = "bytes=-100"
|
|
offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
|
|
require.NoError(t, err)
|
|
resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
|
|
assert.Equal(t, "bytes 169640-169739/169740", resp)
|
|
require.Equal(t, int64(100), size)
|
|
// curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=20-30"
|
|
rangeHeader = "bytes=20-30"
|
|
offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
|
|
require.NoError(t, err)
|
|
resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
|
|
assert.Equal(t, "bytes 20-30/169740", resp)
|
|
require.Equal(t, int64(11), size)
|
|
// curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=20-169739"
|
|
rangeHeader = "bytes=20-169739"
|
|
offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
|
|
require.NoError(t, err)
|
|
resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
|
|
assert.Equal(t, "bytes 20-169739/169740", resp)
|
|
require.Equal(t, int64(169720), size)
|
|
// curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=20-169740"
|
|
rangeHeader = "bytes=20-169740"
|
|
offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
|
|
require.NoError(t, err)
|
|
resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
|
|
assert.Equal(t, "bytes 20-169739/169740", resp)
|
|
require.Equal(t, int64(169720), size)
|
|
// curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=20-169741"
|
|
rangeHeader = "bytes=20-169741"
|
|
offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
|
|
require.NoError(t, err)
|
|
resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
|
|
assert.Equal(t, "bytes 20-169739/169740", resp)
|
|
require.Equal(t, int64(169720), size)
|
|
//curl --verbose "http://127.0.0.1:8080/static/css/sb-admin-2.min.css" -H "Range: bytes=0-" > /dev/null
|
|
rangeHeader = "bytes=0-"
|
|
offset, size, err = parseRangeRequest(rangeHeader[6:], fileSize)
|
|
require.NoError(t, err)
|
|
resp = fmt.Sprintf("bytes %d-%d/%d", offset, offset+size-1, fileSize)
|
|
assert.Equal(t, "bytes 0-169739/169740", resp)
|
|
require.Equal(t, int64(169740), size)
|
|
// now test errors
|
|
rangeHeader = "bytes=0-a"
|
|
_, _, err = parseRangeRequest(rangeHeader[6:], fileSize)
|
|
require.Error(t, err)
|
|
rangeHeader = "bytes="
|
|
_, _, err = parseRangeRequest(rangeHeader[6:], fileSize)
|
|
require.Error(t, err)
|
|
rangeHeader = "bytes=-"
|
|
_, _, err = parseRangeRequest(rangeHeader[6:], fileSize)
|
|
require.Error(t, err)
|
|
rangeHeader = "bytes=500-300"
|
|
_, _, err = parseRangeRequest(rangeHeader[6:], fileSize)
|
|
require.Error(t, err)
|
|
rangeHeader = "bytes=5000000"
|
|
_, _, err = parseRangeRequest(rangeHeader[6:], fileSize)
|
|
require.Error(t, err)
|
|
}
|
|
|
|
func TestRequestHeaderErrors(t *testing.T) {
|
|
req, _ := http.NewRequest(http.MethodGet, webClientFilesPath, nil)
|
|
req.Header.Set("If-Unmodified-Since", "not a date")
|
|
res := checkIfUnmodifiedSince(req, time.Now())
|
|
assert.Equal(t, condNone, res)
|
|
|
|
req, _ = http.NewRequest(http.MethodPost, webClientFilesPath, nil)
|
|
res = checkIfModifiedSince(req, time.Now())
|
|
assert.Equal(t, condNone, res)
|
|
|
|
req, _ = http.NewRequest(http.MethodPost, webClientFilesPath, nil)
|
|
res = checkIfRange(req, time.Now())
|
|
assert.Equal(t, condNone, res)
|
|
|
|
req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
|
|
req.Header.Set("If-Modified-Since", "not a date")
|
|
res = checkIfModifiedSince(req, time.Now())
|
|
assert.Equal(t, condNone, res)
|
|
|
|
req, _ = http.NewRequest(http.MethodGet, webClientFilesPath, nil)
|
|
req.Header.Set("If-Range", time.Now().Format(http.TimeFormat))
|
|
res = checkIfRange(req, time.Time{})
|
|
assert.Equal(t, condFalse, res)
|
|
|
|
req.Header.Set("If-Range", "invalid if range date")
|
|
res = checkIfRange(req, time.Now())
|
|
assert.Equal(t, condFalse, res)
|
|
modTime := getFileObjectModTime(time.Time{})
|
|
assert.Empty(t, modTime)
|
|
}
|
|
|
|
func TestConnection(t *testing.T) {
|
|
user := dataprovider.User{
|
|
BaseUser: sdk.BaseUser{
|
|
Username: "test_httpd_user",
|
|
HomeDir: filepath.Clean(os.TempDir()),
|
|
},
|
|
FsConfig: vfs.Filesystem{
|
|
Provider: sdk.GCSFilesystemProvider,
|
|
GCSConfig: vfs.GCSFsConfig{
|
|
BaseGCSFsConfig: sdk.BaseGCSFsConfig{
|
|
Bucket: "test_bucket_name",
|
|
},
|
|
Credentials: kms.NewPlainSecret("invalid JSON payload"),
|
|
},
|
|
},
|
|
}
|
|
user.Permissions = make(map[string][]string)
|
|
user.Permissions["/"] = []string{dataprovider.PermAny}
|
|
connection := &Connection{
|
|
BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", user),
|
|
request: nil,
|
|
}
|
|
assert.Empty(t, connection.GetClientVersion())
|
|
assert.Empty(t, connection.GetRemoteAddress())
|
|
assert.Empty(t, connection.GetCommand())
|
|
name := "missing file name"
|
|
_, err := connection.getFileReader(name, 0, http.MethodGet)
|
|
assert.Error(t, err)
|
|
connection.User.FsConfig.Provider = sdk.LocalFilesystemProvider
|
|
_, err = connection.getFileReader(name, 0, http.MethodGet)
|
|
assert.ErrorIs(t, err, os.ErrNotExist)
|
|
}
|
|
|
|
func TestGetFileWriterErrors(t *testing.T) {
|
|
user := dataprovider.User{
|
|
BaseUser: sdk.BaseUser{
|
|
Username: "test_httpd_user",
|
|
HomeDir: "invalid",
|
|
},
|
|
}
|
|
user.Permissions = make(map[string][]string)
|
|
user.Permissions["/"] = []string{dataprovider.PermAny}
|
|
connection := &Connection{
|
|
BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", user),
|
|
request: nil,
|
|
}
|
|
_, err := connection.getFileWriter("name")
|
|
assert.Error(t, err)
|
|
|
|
user.FsConfig.Provider = sdk.S3FilesystemProvider
|
|
user.FsConfig.S3Config = vfs.S3FsConfig{
|
|
BaseS3FsConfig: sdk.BaseS3FsConfig{
|
|
Bucket: "b",
|
|
Region: "us-west-1",
|
|
AccessKey: "key",
|
|
},
|
|
AccessSecret: kms.NewPlainSecret("secret"),
|
|
}
|
|
connection = &Connection{
|
|
BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", user),
|
|
request: nil,
|
|
}
|
|
_, err = connection.getFileWriter("/path")
|
|
assert.Error(t, err)
|
|
}
|
|
|
|
func TestThrottledHandler(t *testing.T) {
|
|
tr := &throttledReader{
|
|
r: io.NopCloser(bytes.NewBuffer(nil)),
|
|
}
|
|
assert.Equal(t, int64(0), tr.GetTruncatedSize())
|
|
err := tr.Close()
|
|
assert.NoError(t, err)
|
|
assert.Empty(t, tr.GetRealFsPath("real path"))
|
|
assert.False(t, tr.SetTimes("p", time.Now(), time.Now()))
|
|
_, err = tr.Truncate("", 0)
|
|
assert.ErrorIs(t, err, vfs.ErrVfsUnsupported)
|
|
err = tr.GetAbortError()
|
|
assert.ErrorIs(t, err, common.ErrTransferAborted)
|
|
}
|
|
|
|
func TestHTTPDFile(t *testing.T) {
|
|
user := dataprovider.User{
|
|
BaseUser: sdk.BaseUser{
|
|
Username: "test_httpd_user",
|
|
HomeDir: filepath.Clean(os.TempDir()),
|
|
},
|
|
}
|
|
user.Permissions = make(map[string][]string)
|
|
user.Permissions["/"] = []string{dataprovider.PermAny}
|
|
connection := &Connection{
|
|
BaseConnection: common.NewBaseConnection(xid.New().String(), common.ProtocolHTTP, "", "", user),
|
|
}
|
|
|
|
fs, err := user.GetFilesystem("")
|
|
assert.NoError(t, err)
|
|
|
|
name := "fileName"
|
|
p := filepath.Join(os.TempDir(), name)
|
|
err = os.WriteFile(p, []byte("contents"), os.ModePerm)
|
|
assert.NoError(t, err)
|
|
file, err := os.Open(p)
|
|
assert.NoError(t, err)
|
|
err = file.Close()
|
|
assert.NoError(t, err)
|
|
|
|
baseTransfer := common.NewBaseTransfer(file, connection.BaseConnection, nil, p, p, name, common.TransferDownload,
|
|
0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})
|
|
httpdFile := newHTTPDFile(baseTransfer, nil, nil)
|
|
// the file is closed, read should fail
|
|
buf := make([]byte, 100)
|
|
_, err = httpdFile.Read(buf)
|
|
assert.Error(t, err)
|
|
err = httpdFile.Close()
|
|
assert.Error(t, err)
|
|
err = httpdFile.Close()
|
|
assert.ErrorIs(t, err, common.ErrTransferClosed)
|
|
err = os.Remove(p)
|
|
assert.NoError(t, err)
|
|
|
|
httpdFile.writer = file
|
|
httpdFile.File = nil
|
|
httpdFile.ErrTransfer = nil
|
|
err = httpdFile.closeIO()
|
|
assert.Error(t, err)
|
|
assert.Error(t, httpdFile.ErrTransfer)
|
|
assert.Equal(t, err, httpdFile.ErrTransfer)
|
|
httpdFile.SignalClose(nil)
|
|
_, err = httpdFile.Write(nil)
|
|
assert.ErrorIs(t, err, common.ErrQuotaExceeded)
|
|
}
|
|
|
|
func TestChangeUserPwd(t *testing.T) {
|
|
req, _ := http.NewRequest(http.MethodPost, webChangeClientPwdPath, nil)
|
|
err := doChangeUserPassword(req, "", "", "")
|
|
if assert.Error(t, err) {
|
|
assert.Contains(t, err.Error(), "please provide the current password and the new one two times")
|
|
}
|
|
err = doChangeUserPassword(req, "a", "b", "c")
|
|
if assert.Error(t, err) {
|
|
assert.Contains(t, err.Error(), "the two password fields do not match")
|
|
}
|
|
err = doChangeUserPassword(req, "a", "b", "b")
|
|
if assert.Error(t, err) {
|
|
assert.Contains(t, err.Error(), errInvalidTokenClaims.Error())
|
|
}
|
|
}
|
|
|
|
func TestWebUserInvalidClaims(t *testing.T) {
|
|
server := httpdServer{}
|
|
server.initializeRouter()
|
|
|
|
rr := httptest.NewRecorder()
|
|
user := dataprovider.User{
|
|
BaseUser: sdk.BaseUser{
|
|
Username: "",
|
|
Password: "pwd",
|
|
},
|
|
}
|
|
c := jwtTokenClaims{
|
|
Username: user.Username,
|
|
Permissions: nil,
|
|
Signature: user.GetSignature(),
|
|
}
|
|
token, err := c.createTokenResponse(server.tokenAuth, tokenAudienceWebClient, "")
|
|
assert.NoError(t, err)
|
|
|
|
req, _ := http.NewRequest(http.MethodGet, webClientFilesPath, nil)
|
|
req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
|
|
server.handleClientGetFiles(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
req, _ = http.NewRequest(http.MethodGet, webClientDirsPath, nil)
|
|
req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
|
|
server.handleClientGetDirContents(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorDirList403)
|
|
|
|
rr = httptest.NewRecorder()
|
|
req, _ = http.NewRequest(http.MethodGet, webClientDownloadZipPath, nil)
|
|
req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
|
|
server.handleWebClientDownloadZip(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
req, _ = http.NewRequest(http.MethodGet, webClientEditFilePath, nil)
|
|
req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
|
|
server.handleClientEditFile(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
req, _ = http.NewRequest(http.MethodGet, webClientSharePath, nil)
|
|
req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
|
|
server.handleClientAddShareGet(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
req, _ = http.NewRequest(http.MethodGet, webClientSharePath, nil)
|
|
req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
|
|
server.handleClientUpdateShareGet(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
req, _ = http.NewRequest(http.MethodPost, webClientSharePath, nil)
|
|
req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
|
|
server.handleClientAddSharePost(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
req, _ = http.NewRequest(http.MethodPost, webClientSharePath+"/id", nil)
|
|
req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
|
|
server.handleClientUpdateSharePost(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
req, _ = http.NewRequest(http.MethodGet, webClientSharesPath+jsonAPISuffix, nil)
|
|
req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
|
|
getAllShares(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
|
|
rr = httptest.NewRecorder()
|
|
req, _ = http.NewRequest(http.MethodGet, webClientViewPDFPath, nil)
|
|
req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
|
|
server.handleClientGetPDF(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
}
|
|
|
|
func TestInvalidClaims(t *testing.T) {
|
|
server := httpdServer{}
|
|
server.initializeRouter()
|
|
|
|
rr := httptest.NewRecorder()
|
|
user := dataprovider.User{
|
|
BaseUser: sdk.BaseUser{
|
|
Username: "",
|
|
Password: "pwd",
|
|
},
|
|
}
|
|
c := jwtTokenClaims{
|
|
Username: user.Username,
|
|
Permissions: nil,
|
|
Signature: user.GetSignature(),
|
|
}
|
|
token, err := c.createTokenResponse(server.tokenAuth, tokenAudienceWebClient, "")
|
|
assert.NoError(t, err)
|
|
|
|
req, err := http.NewRequest(http.MethodGet, webClientProfilePath, nil)
|
|
assert.NoError(t, err)
|
|
req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
|
|
parsedToken, err := jwtauth.VerifyRequest(server.tokenAuth, req, jwtauth.TokenFromCookie)
|
|
assert.NoError(t, err)
|
|
ctx := req.Context()
|
|
ctx = jwtauth.NewContext(ctx, parsedToken, err)
|
|
req = req.WithContext(ctx)
|
|
|
|
form := make(url.Values)
|
|
form.Set(csrfFormToken, createCSRFToken(rr, req, server.csrfTokenAuth, "", webBaseClientPath))
|
|
form.Set("public_keys", "")
|
|
req, err = http.NewRequest(http.MethodPost, webClientProfilePath, bytes.NewBuffer([]byte(form.Encode())))
|
|
assert.NoError(t, err)
|
|
req = req.WithContext(ctx)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
|
|
server.handleWebClientProfilePost(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
|
|
admin := dataprovider.Admin{
|
|
Username: "",
|
|
Password: user.Password,
|
|
}
|
|
c = jwtTokenClaims{
|
|
Username: admin.Username,
|
|
Permissions: nil,
|
|
Signature: admin.GetSignature(),
|
|
}
|
|
token, err = c.createTokenResponse(server.tokenAuth, tokenAudienceWebAdmin, "")
|
|
assert.NoError(t, err)
|
|
|
|
req, err = http.NewRequest(http.MethodGet, webAdminProfilePath, nil)
|
|
assert.NoError(t, err)
|
|
req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
|
|
parsedToken, err = jwtauth.VerifyRequest(server.tokenAuth, req, jwtauth.TokenFromCookie)
|
|
assert.NoError(t, err)
|
|
ctx = req.Context()
|
|
ctx = jwtauth.NewContext(ctx, parsedToken, err)
|
|
req = req.WithContext(ctx)
|
|
|
|
form = make(url.Values)
|
|
form.Set(csrfFormToken, createCSRFToken(rr, req, server.csrfTokenAuth, "", webBaseAdminPath))
|
|
form.Set("allow_api_key_auth", "")
|
|
req, err = http.NewRequest(http.MethodPost, webAdminProfilePath, bytes.NewBuffer([]byte(form.Encode())))
|
|
assert.NoError(t, err)
|
|
req = req.WithContext(ctx)
|
|
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"]))
|
|
server.handleWebAdminProfilePost(rr, req)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorInvalidToken)
|
|
}
|
|
|
|
func TestTLSReq(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, webClientLoginPath, nil)
|
|
assert.NoError(t, err)
|
|
req.TLS = &tls.ConnectionState{}
|
|
assert.True(t, isTLS(req))
|
|
req.TLS = nil
|
|
ctx := context.WithValue(req.Context(), forwardedProtoKey, "https")
|
|
assert.True(t, isTLS(req.WithContext(ctx)))
|
|
ctx = context.WithValue(req.Context(), forwardedProtoKey, "http")
|
|
assert.False(t, isTLS(req.WithContext(ctx)))
|
|
assert.Equal(t, "context value forwarded proto", forwardedProtoKey.String())
|
|
}
|
|
|
|
func TestSigningKey(t *testing.T) {
|
|
signingPassphrase := "test"
|
|
server1 := httpdServer{
|
|
signingPassphrase: signingPassphrase,
|
|
}
|
|
server1.initializeRouter()
|
|
|
|
server2 := httpdServer{
|
|
signingPassphrase: signingPassphrase,
|
|
}
|
|
server2.initializeRouter()
|
|
|
|
user := dataprovider.User{
|
|
BaseUser: sdk.BaseUser{
|
|
Username: "",
|
|
Password: "pwd",
|
|
},
|
|
}
|
|
c := jwtTokenClaims{
|
|
Username: user.Username,
|
|
Permissions: nil,
|
|
Signature: user.GetSignature(),
|
|
}
|
|
token, err := c.createTokenResponse(server1.tokenAuth, tokenAudienceWebClient, "")
|
|
assert.NoError(t, err)
|
|
accessToken := token["access_token"].(string)
|
|
assert.NotEmpty(t, accessToken)
|
|
_, err = server1.tokenAuth.Decode(accessToken)
|
|
assert.NoError(t, err)
|
|
_, err = server2.tokenAuth.Decode(accessToken)
|
|
assert.NoError(t, err)
|
|
}
|
|
|
|
func TestLoginLinks(t *testing.T) {
|
|
b := Binding{
|
|
EnableWebAdmin: true,
|
|
EnableWebClient: false,
|
|
EnableRESTAPI: true,
|
|
}
|
|
assert.False(t, b.showClientLoginURL())
|
|
b = Binding{
|
|
EnableWebAdmin: false,
|
|
EnableWebClient: true,
|
|
EnableRESTAPI: true,
|
|
}
|
|
assert.False(t, b.showAdminLoginURL())
|
|
b = Binding{
|
|
EnableWebAdmin: true,
|
|
EnableWebClient: true,
|
|
EnableRESTAPI: true,
|
|
}
|
|
assert.True(t, b.showAdminLoginURL())
|
|
assert.True(t, b.showClientLoginURL())
|
|
b.HideLoginURL = 3
|
|
assert.False(t, b.showAdminLoginURL())
|
|
assert.False(t, b.showClientLoginURL())
|
|
b.HideLoginURL = 1
|
|
assert.True(t, b.showAdminLoginURL())
|
|
assert.False(t, b.showClientLoginURL())
|
|
b.HideLoginURL = 2
|
|
assert.False(t, b.showAdminLoginURL())
|
|
assert.True(t, b.showClientLoginURL())
|
|
}
|
|
|
|
func TestResetCodesCleanup(t *testing.T) {
|
|
resetCode := newResetCode(util.GenerateUniqueID(), false)
|
|
resetCode.ExpiresAt = time.Now().Add(-1 * time.Minute).UTC()
|
|
err := resetCodesMgr.Add(resetCode)
|
|
assert.NoError(t, err)
|
|
resetCodesMgr.Cleanup()
|
|
_, err = resetCodesMgr.Get(resetCode.Code)
|
|
assert.Error(t, err)
|
|
}
|
|
|
|
func TestUserCanResetPassword(t *testing.T) {
|
|
req, err := http.NewRequest(http.MethodGet, webClientLoginPath, nil)
|
|
assert.NoError(t, err)
|
|
req.RemoteAddr = "172.16.9.2:55080"
|
|
|
|
u := dataprovider.User{}
|
|
assert.True(t, isUserAllowedToResetPassword(req, &u))
|
|
u.Filters.DeniedProtocols = []string{common.ProtocolHTTP}
|
|
assert.False(t, isUserAllowedToResetPassword(req, &u))
|
|
u.Filters.DeniedProtocols = nil
|
|
u.Filters.WebClient = []string{sdk.WebClientPasswordResetDisabled}
|
|
assert.False(t, isUserAllowedToResetPassword(req, &u))
|
|
u.Filters.WebClient = nil
|
|
u.Filters.DeniedLoginMethods = []string{dataprovider.LoginMethodPassword}
|
|
assert.False(t, isUserAllowedToResetPassword(req, &u))
|
|
u.Filters.DeniedLoginMethods = nil
|
|
u.Filters.AllowedIP = []string{"127.0.0.1/8"}
|
|
assert.False(t, isUserAllowedToResetPassword(req, &u))
|
|
}
|
|
|
|
func TestBrowsableSharePaths(t *testing.T) {
|
|
share := dataprovider.Share{
|
|
Paths: []string{"/"},
|
|
Username: defaultAdminUsername,
|
|
}
|
|
_, err := getUserForShare(share)
|
|
if assert.Error(t, err) {
|
|
assert.ErrorIs(t, err, util.ErrNotFound)
|
|
}
|
|
req, err := http.NewRequest(http.MethodGet, "/share", nil)
|
|
require.NoError(t, err)
|
|
name, err := getBrowsableSharedPath(share.Paths[0], req)
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, "/", name)
|
|
req, err = http.NewRequest(http.MethodGet, "/share?path=abc", nil)
|
|
require.NoError(t, err)
|
|
name, err = getBrowsableSharedPath(share.Paths[0], req)
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, "/abc", name)
|
|
|
|
share.Paths = []string{"/a/b/c"}
|
|
req, err = http.NewRequest(http.MethodGet, "/share?path=abc", nil)
|
|
require.NoError(t, err)
|
|
name, err = getBrowsableSharedPath(share.Paths[0], req)
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, "/a/b/c/abc", name)
|
|
req, err = http.NewRequest(http.MethodGet, "/share?path=%2Fabc/d", nil)
|
|
require.NoError(t, err)
|
|
name, err = getBrowsableSharedPath(share.Paths[0], req)
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, "/a/b/c/abc/d", name)
|
|
|
|
req, err = http.NewRequest(http.MethodGet, "/share?path=%2Fabc%2F..%2F..", nil)
|
|
require.NoError(t, err)
|
|
_, err = getBrowsableSharedPath(share.Paths[0], req)
|
|
assert.Error(t, err)
|
|
|
|
req, err = http.NewRequest(http.MethodGet, "/share?path=%2Fabc%2F..", nil)
|
|
require.NoError(t, err)
|
|
name, err = getBrowsableSharedPath(share.Paths[0], req)
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, "/a/b/c", name)
|
|
|
|
share = dataprovider.Share{
|
|
Paths: []string{"/a", "/b"},
|
|
}
|
|
}
|
|
|
|
func TestSecureMiddlewareIntegration(t *testing.T) {
|
|
forwardedHostHeader := "X-Forwarded-Host"
|
|
server := httpdServer{
|
|
binding: Binding{
|
|
ProxyAllowed: []string{"192.168.1.0/24"},
|
|
Security: SecurityConf{
|
|
Enabled: true,
|
|
AllowedHosts: []string{"*.sftpgo.com"},
|
|
AllowedHostsAreRegex: true,
|
|
HostsProxyHeaders: []string{forwardedHostHeader},
|
|
HTTPSProxyHeaders: []HTTPSProxyHeader{
|
|
{
|
|
Key: xForwardedProto,
|
|
Value: "https",
|
|
},
|
|
},
|
|
STSSeconds: 31536000,
|
|
STSIncludeSubdomains: true,
|
|
STSPreload: true,
|
|
ContentTypeNosniff: true,
|
|
CacheControl: "private",
|
|
},
|
|
},
|
|
enableWebAdmin: true,
|
|
enableWebClient: true,
|
|
enableRESTAPI: true,
|
|
}
|
|
server.binding.Security.updateProxyHeaders()
|
|
err := server.binding.parseAllowedProxy()
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, []string{forwardedHostHeader, xForwardedProto}, server.binding.Security.proxyHeaders)
|
|
assert.Equal(t, map[string]string{xForwardedProto: "https"}, server.binding.Security.getHTTPSProxyHeaders())
|
|
server.initializeRouter()
|
|
|
|
rr := httptest.NewRecorder()
|
|
r, err := http.NewRequest(http.MethodGet, webClientLoginPath, nil)
|
|
assert.NoError(t, err)
|
|
r.Host = "127.0.0.1"
|
|
server.router.ServeHTTP(rr, r)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.Equal(t, "no-cache, no-store, max-age=0, must-revalidate, private", rr.Header().Get("Cache-Control"))
|
|
|
|
rr = httptest.NewRecorder()
|
|
r.Header.Set(forwardedHostHeader, "www.sftpgo.com")
|
|
server.router.ServeHTTP(rr, r)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
// the header should be removed
|
|
assert.Empty(t, r.Header.Get(forwardedHostHeader))
|
|
|
|
rr = httptest.NewRecorder()
|
|
r.Host = "test.sftpgo.com"
|
|
r.Header.Set(forwardedHostHeader, "test.example.com")
|
|
r.RemoteAddr = "192.168.1.1"
|
|
server.router.ServeHTTP(rr, r)
|
|
assert.Equal(t, http.StatusForbidden, rr.Code)
|
|
assert.NotEmpty(t, r.Header.Get(forwardedHostHeader))
|
|
|
|
rr = httptest.NewRecorder()
|
|
r.Header.Set(forwardedHostHeader, "www.sftpgo.com")
|
|
r.RemoteAddr = "192.168.1.1"
|
|
server.router.ServeHTTP(rr, r)
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
assert.NotEmpty(t, r.Header.Get(forwardedHostHeader))
|
|
assert.Empty(t, rr.Header().Get("Strict-Transport-Security"))
|
|
assert.Equal(t, "nosniff", rr.Header().Get("X-Content-Type-Options"))
|
|
// now set the X-Forwarded-Proto to https, we should get the Strict-Transport-Security header
|
|
rr = httptest.NewRecorder()
|
|
r.Host = "test.sftpgo.com"
|
|
r.Header.Set(xForwardedProto, "https")
|
|
r.RemoteAddr = "192.168.1.3"
|
|
server.router.ServeHTTP(rr, r)
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
assert.NotEmpty(t, r.Header.Get(forwardedHostHeader))
|
|
assert.Equal(t, "max-age=31536000; includeSubDomains; preload", rr.Header().Get("Strict-Transport-Security"))
|
|
assert.Equal(t, "nosniff", rr.Header().Get("X-Content-Type-Options"))
|
|
|
|
server.binding.Security.Enabled = false
|
|
server.binding.Security.updateProxyHeaders()
|
|
assert.Len(t, server.binding.Security.proxyHeaders, 0)
|
|
}
|
|
|
|
func TestGetCompressedFileName(t *testing.T) {
|
|
username := "test"
|
|
res := getCompressedFileName(username, []string{"single dir"})
|
|
require.Equal(t, fmt.Sprintf("%s-single dir.zip", username), res)
|
|
res = getCompressedFileName(username, []string{"file1", "file2"})
|
|
require.Equal(t, fmt.Sprintf("%s-download.zip", username), res)
|
|
res = getCompressedFileName(username, []string{"file1.txt"})
|
|
require.Equal(t, fmt.Sprintf("%s-file1.zip", username), res)
|
|
// now files with full paths
|
|
res = getCompressedFileName(username, []string{"/dir/single dir"})
|
|
require.Equal(t, fmt.Sprintf("%s-single dir.zip", username), res)
|
|
res = getCompressedFileName(username, []string{"/adir/file1", "/adir/file2"})
|
|
require.Equal(t, fmt.Sprintf("%s-download.zip", username), res)
|
|
res = getCompressedFileName(username, []string{"/sub/dir/file1.txt"})
|
|
require.Equal(t, fmt.Sprintf("%s-file1.zip", username), res)
|
|
}
|
|
|
|
func TestRESTAPIDisabled(t *testing.T) {
|
|
server := httpdServer{
|
|
enableWebAdmin: true,
|
|
enableWebClient: true,
|
|
enableRESTAPI: false,
|
|
}
|
|
server.initializeRouter()
|
|
assert.False(t, server.enableRESTAPI)
|
|
rr := httptest.NewRecorder()
|
|
r, err := http.NewRequest(http.MethodGet, healthzPath, nil)
|
|
assert.NoError(t, err)
|
|
server.router.ServeHTTP(rr, r)
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
|
|
rr = httptest.NewRecorder()
|
|
r, err = http.NewRequest(http.MethodGet, tokenPath, nil)
|
|
assert.NoError(t, err)
|
|
server.router.ServeHTTP(rr, r)
|
|
assert.Equal(t, http.StatusNotFound, rr.Code)
|
|
}
|
|
|
|
func TestWebAdminSetupWithInstallCode(t *testing.T) {
|
|
installationCode = "1234"
|
|
// delete all the admins
|
|
admins, err := dataprovider.GetAdmins(100, 0, dataprovider.OrderASC)
|
|
assert.NoError(t, err)
|
|
for _, admin := range admins {
|
|
err = dataprovider.DeleteAdmin(admin.Username, "", "", "")
|
|
assert.NoError(t, err)
|
|
}
|
|
// close the provider and initializes it without creating the default admin
|
|
providerConf := dataprovider.GetProviderConfig()
|
|
providerConf.CreateDefaultAdmin = false
|
|
err = dataprovider.Close()
|
|
assert.NoError(t, err)
|
|
err = dataprovider.Initialize(providerConf, configDir, true)
|
|
assert.NoError(t, err)
|
|
|
|
server := httpdServer{
|
|
enableWebAdmin: true,
|
|
enableWebClient: true,
|
|
enableRESTAPI: true,
|
|
}
|
|
server.initializeRouter()
|
|
|
|
for _, webURL := range []string{"/", webBasePath, webBaseAdminPath, webAdminLoginPath, webClientLoginPath} {
|
|
rr := httptest.NewRecorder()
|
|
r, err := http.NewRequest(http.MethodGet, webURL, nil)
|
|
assert.NoError(t, err)
|
|
server.router.ServeHTTP(rr, r)
|
|
assert.Equal(t, http.StatusFound, rr.Code)
|
|
assert.Equal(t, webAdminSetupPath, rr.Header().Get("Location"))
|
|
}
|
|
|
|
rr := httptest.NewRecorder()
|
|
r, err := http.NewRequest(http.MethodGet, webAdminSetupPath, nil)
|
|
assert.NoError(t, err)
|
|
server.router.ServeHTTP(rr, r)
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
cookie := rr.Header().Get("Set-Cookie")
|
|
r.Header.Set("Cookie", cookie)
|
|
parsedToken, err := jwtauth.VerifyRequest(server.csrfTokenAuth, r, jwtauth.TokenFromCookie)
|
|
assert.NoError(t, err)
|
|
ctx := r.Context()
|
|
ctx = jwtauth.NewContext(ctx, parsedToken, err)
|
|
r = r.WithContext(ctx)
|
|
|
|
form := make(url.Values)
|
|
csrfToken := createCSRFToken(rr, r, server.csrfTokenAuth, "", webBaseAdminPath)
|
|
form.Set(csrfFormToken, csrfToken)
|
|
form.Set("install_code", installationCode+"5")
|
|
form.Set("username", defaultAdminUsername)
|
|
form.Set("password", "password")
|
|
form.Set("confirm_password", "password")
|
|
rr = httptest.NewRecorder()
|
|
r, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))
|
|
assert.NoError(t, err)
|
|
r = r.WithContext(ctx)
|
|
r.Header.Set("Cookie", cookie)
|
|
r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
server.router.ServeHTTP(rr, r)
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorSetupInstallCode)
|
|
|
|
_, err = dataprovider.AdminExists(defaultAdminUsername)
|
|
assert.Error(t, err)
|
|
form.Set("install_code", installationCode)
|
|
rr = httptest.NewRecorder()
|
|
r, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))
|
|
assert.NoError(t, err)
|
|
r = r.WithContext(ctx)
|
|
r.Header.Set("Cookie", cookie)
|
|
r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
server.router.ServeHTTP(rr, r)
|
|
assert.Equal(t, http.StatusFound, rr.Code)
|
|
assert.Equal(t, webAdminMFAPath, rr.Header().Get("Location"))
|
|
|
|
_, err = dataprovider.AdminExists(defaultAdminUsername)
|
|
assert.NoError(t, err)
|
|
|
|
// delete the admin and test the installation code resolver
|
|
err = dataprovider.DeleteAdmin(defaultAdminUsername, "", "", "")
|
|
assert.NoError(t, err)
|
|
|
|
err = dataprovider.Close()
|
|
assert.NoError(t, err)
|
|
err = dataprovider.Initialize(providerConf, configDir, true)
|
|
assert.NoError(t, err)
|
|
|
|
SetInstallationCodeResolver(func(_ string) string {
|
|
return "5678"
|
|
})
|
|
|
|
for _, webURL := range []string{"/", webBasePath, webBaseAdminPath, webAdminLoginPath, webClientLoginPath} {
|
|
rr = httptest.NewRecorder()
|
|
r, err = http.NewRequest(http.MethodGet, webURL, nil)
|
|
assert.NoError(t, err)
|
|
server.router.ServeHTTP(rr, r)
|
|
assert.Equal(t, http.StatusFound, rr.Code)
|
|
assert.Equal(t, webAdminSetupPath, rr.Header().Get("Location"))
|
|
}
|
|
|
|
rr = httptest.NewRecorder()
|
|
r, err = http.NewRequest(http.MethodGet, webAdminSetupPath, nil)
|
|
assert.NoError(t, err)
|
|
server.router.ServeHTTP(rr, r)
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
cookie = rr.Header().Get("Set-Cookie")
|
|
r.Header.Set("Cookie", cookie)
|
|
parsedToken, err = jwtauth.VerifyRequest(server.csrfTokenAuth, r, jwtauth.TokenFromCookie)
|
|
assert.NoError(t, err)
|
|
ctx = r.Context()
|
|
ctx = jwtauth.NewContext(ctx, parsedToken, err)
|
|
r = r.WithContext(ctx)
|
|
|
|
form = make(url.Values)
|
|
csrfToken = createCSRFToken(rr, r, server.csrfTokenAuth, "", webBaseAdminPath)
|
|
form.Set(csrfFormToken, csrfToken)
|
|
form.Set("install_code", installationCode)
|
|
form.Set("username", defaultAdminUsername)
|
|
form.Set("password", "password")
|
|
form.Set("confirm_password", "password")
|
|
rr = httptest.NewRecorder()
|
|
r, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))
|
|
assert.NoError(t, err)
|
|
r = r.WithContext(ctx)
|
|
r.Header.Set("Cookie", cookie)
|
|
r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
server.router.ServeHTTP(rr, r)
|
|
assert.Equal(t, http.StatusOK, rr.Code)
|
|
assert.Contains(t, rr.Body.String(), util.I18nErrorSetupInstallCode)
|
|
|
|
_, err = dataprovider.AdminExists(defaultAdminUsername)
|
|
assert.Error(t, err)
|
|
form.Set("install_code", "5678")
|
|
rr = httptest.NewRecorder()
|
|
r, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))
|
|
assert.NoError(t, err)
|
|
r = r.WithContext(ctx)
|
|
r.Header.Set("Cookie", cookie)
|
|
r.Header.Set("Content-Type", "application/x-www-form-urlencoded")
|
|
server.router.ServeHTTP(rr, r)
|
|
assert.Equal(t, http.StatusFound, rr.Code)
|
|
assert.Equal(t, webAdminMFAPath, rr.Header().Get("Location"))
|
|
|
|
_, err = dataprovider.AdminExists(defaultAdminUsername)
|
|
assert.NoError(t, err)
|
|
|
|
err = dataprovider.Close()
|
|
assert.NoError(t, err)
|
|
providerConf.CreateDefaultAdmin = true
|
|
err = dataprovider.Initialize(providerConf, configDir, true)
|
|
assert.NoError(t, err)
|
|
installationCode = ""
|
|
SetInstallationCodeResolver(nil)
|
|
}
|
|
|
|
func TestDbResetCodeManager(t *testing.T) {
|
|
if !isSharedProviderSupported() {
|
|
t.Skip("this test it is not available with this provider")
|
|
}
|
|
mgr := newResetCodeManager(1)
|
|
resetCode := newResetCode("admin", true)
|
|
err := mgr.Add(resetCode)
|
|
assert.NoError(t, err)
|
|
codeGet, err := mgr.Get(resetCode.Code)
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, resetCode, codeGet)
|
|
err = mgr.Delete(resetCode.Code)
|
|
assert.NoError(t, err)
|
|
err = mgr.Delete(resetCode.Code)
|
|
if assert.Error(t, err) {
|
|
assert.ErrorIs(t, err, util.ErrNotFound)
|
|
}
|
|
_, err = mgr.Get(resetCode.Code)
|
|
assert.ErrorIs(t, err, util.ErrNotFound)
|
|
// add an expired reset code
|
|
resetCode = newResetCode("user", false)
|
|
resetCode.ExpiresAt = time.Now().Add(-24 * time.Hour)
|
|
err = mgr.Add(resetCode)
|
|
assert.NoError(t, err)
|
|
_, err = mgr.Get(resetCode.Code)
|
|
if assert.Error(t, err) {
|
|
assert.Contains(t, err.Error(), "reset code expired")
|
|
}
|
|
mgr.Cleanup()
|
|
_, err = mgr.Get(resetCode.Code)
|
|
assert.ErrorIs(t, err, util.ErrNotFound)
|
|
|
|
dbMgr, ok := mgr.(*dbResetCodeManager)
|
|
if assert.True(t, ok) {
|
|
_, err = dbMgr.decodeData("astring")
|
|
assert.Error(t, err)
|
|
}
|
|
}
|
|
|
|
func TestDecodeToken(t *testing.T) {
|
|
nodeID := "nodeID"
|
|
token := map[string]any{
|
|
claimUsernameKey: defaultAdminUsername,
|
|
claimPermissionsKey: []string{dataprovider.PermAdminAny},
|
|
jwt.SubjectKey: "",
|
|
claimNodeID: nodeID,
|
|
claimMustChangePasswordKey: false,
|
|
claimMustSetSecondFactorKey: true,
|
|
claimRef: "ref",
|
|
}
|
|
c := jwtTokenClaims{}
|
|
c.Decode(token)
|
|
assert.Equal(t, defaultAdminUsername, c.Username)
|
|
assert.Equal(t, nodeID, c.NodeID)
|
|
assert.False(t, c.MustChangePassword)
|
|
assert.True(t, c.MustSetTwoFactorAuth)
|
|
assert.Equal(t, "ref", c.Ref)
|
|
|
|
asMap := c.asMap()
|
|
asMap[claimMustChangePasswordKey] = false
|
|
assert.Equal(t, token, asMap)
|
|
|
|
token[claimMustChangePasswordKey] = 10
|
|
c = jwtTokenClaims{}
|
|
c.Decode(token)
|
|
assert.False(t, c.MustChangePassword)
|
|
|
|
token[claimMustChangePasswordKey] = true
|
|
c = jwtTokenClaims{}
|
|
c.Decode(token)
|
|
assert.True(t, c.MustChangePassword)
|
|
|
|
claims := c.asMap()
|
|
assert.Equal(t, token, claims)
|
|
}
|
|
|
|
func TestEventRoleFilter(t *testing.T) {
|
|
defaultVal := "default"
|
|
req, err := http.NewRequest(http.MethodGet, fsEventsPath+"?role=role1", nil)
|
|
require.NoError(t, err)
|
|
role := getRoleFilterForEventSearch(req, defaultVal)
|
|
assert.Equal(t, defaultVal, role)
|
|
role = getRoleFilterForEventSearch(req, "")
|
|
assert.Equal(t, "role1", role)
|
|
}
|
|
|
|
func TestEventsCSV(t *testing.T) {
|
|
e := fsEvent{
|
|
Status: 1,
|
|
}
|
|
data := e.getCSVData()
|
|
assert.Equal(t, "OK", data[5])
|
|
e.Status = 2
|
|
data = e.getCSVData()
|
|
assert.Equal(t, "KO", data[5])
|
|
e.Status = 3
|
|
data = e.getCSVData()
|
|
assert.Equal(t, "Quota exceeded", data[5])
|
|
}
|
|
|
|
func TestConfigsFromProvider(t *testing.T) {
|
|
err := dataprovider.UpdateConfigs(nil, "", "", "")
|
|
assert.NoError(t, err)
|
|
c := Conf{
|
|
Bindings: []Binding{
|
|
{
|
|
Port: 1234,
|
|
},
|
|
{
|
|
Port: 80,
|
|
Security: SecurityConf{
|
|
Enabled: true,
|
|
HTTPSRedirect: true,
|
|
},
|
|
},
|
|
},
|
|
}
|
|
err = c.loadFromProvider()
|
|
assert.NoError(t, err)
|
|
assert.Empty(t, c.acmeDomain)
|
|
configs := dataprovider.Configs{
|
|
ACME: &dataprovider.ACMEConfigs{
|
|
Domain: "domain.com",
|
|
Email: "info@domain.com",
|
|
HTTP01Challenge: dataprovider.ACMEHTTP01Challenge{Port: 80},
|
|
Protocols: 1,
|
|
},
|
|
}
|
|
err = dataprovider.UpdateConfigs(&configs, "", "", "")
|
|
assert.NoError(t, err)
|
|
util.CertsBasePath = ""
|
|
// crt and key empty
|
|
err = c.loadFromProvider()
|
|
assert.NoError(t, err)
|
|
assert.Empty(t, c.acmeDomain)
|
|
util.CertsBasePath = filepath.Clean(os.TempDir())
|
|
// crt not found
|
|
err = c.loadFromProvider()
|
|
assert.NoError(t, err)
|
|
assert.Empty(t, c.acmeDomain)
|
|
keyPairs := c.getKeyPairs(configDir)
|
|
assert.Len(t, keyPairs, 0)
|
|
crtPath := filepath.Join(util.CertsBasePath, util.SanitizeDomain(configs.ACME.Domain)+".crt")
|
|
err = os.WriteFile(crtPath, nil, 0666)
|
|
assert.NoError(t, err)
|
|
// key not found
|
|
err = c.loadFromProvider()
|
|
assert.NoError(t, err)
|
|
assert.Empty(t, c.acmeDomain)
|
|
keyPairs = c.getKeyPairs(configDir)
|
|
assert.Len(t, keyPairs, 0)
|
|
keyPath := filepath.Join(util.CertsBasePath, util.SanitizeDomain(configs.ACME.Domain)+".key")
|
|
err = os.WriteFile(keyPath, nil, 0666)
|
|
assert.NoError(t, err)
|
|
// acme cert used
|
|
err = c.loadFromProvider()
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, configs.ACME.Domain, c.acmeDomain)
|
|
keyPairs = c.getKeyPairs(configDir)
|
|
assert.Len(t, keyPairs, 1)
|
|
assert.True(t, c.Bindings[0].EnableHTTPS)
|
|
assert.False(t, c.Bindings[1].EnableHTTPS)
|
|
// protocols does not match
|
|
configs.ACME.Protocols = 6
|
|
err = dataprovider.UpdateConfigs(&configs, "", "", "")
|
|
assert.NoError(t, err)
|
|
c.acmeDomain = ""
|
|
err = c.loadFromProvider()
|
|
assert.NoError(t, err)
|
|
assert.Empty(t, c.acmeDomain)
|
|
keyPairs = c.getKeyPairs(configDir)
|
|
assert.Len(t, keyPairs, 0)
|
|
|
|
err = os.Remove(crtPath)
|
|
assert.NoError(t, err)
|
|
err = os.Remove(keyPath)
|
|
assert.NoError(t, err)
|
|
util.CertsBasePath = ""
|
|
err = dataprovider.UpdateConfigs(nil, "", "", "")
|
|
assert.NoError(t, err)
|
|
}
|
|
|
|
func TestHTTPSRedirect(t *testing.T) {
|
|
acmeWebRoot := filepath.Join(os.TempDir(), "acme")
|
|
err := os.MkdirAll(acmeWebRoot, os.ModePerm)
|
|
assert.NoError(t, err)
|
|
tokenName := "token"
|
|
err = os.WriteFile(filepath.Join(acmeWebRoot, tokenName), []byte("val"), 0666)
|
|
assert.NoError(t, err)
|
|
|
|
acmeConfig := acme.Configuration{
|
|
HTTP01Challenge: acme.HTTP01Challenge{WebRoot: acmeWebRoot},
|
|
}
|
|
err = acme.Initialize(acmeConfig, configDir, true)
|
|
require.NoError(t, err)
|
|
|
|
forwardedHostHeader := "X-Forwarded-Host"
|
|
server := httpdServer{
|
|
binding: Binding{
|
|
Security: SecurityConf{
|
|
Enabled: true,
|
|
HTTPSRedirect: true,
|
|
HostsProxyHeaders: []string{forwardedHostHeader},
|
|
},
|
|
},
|
|
}
|
|
server.initializeRouter()
|
|
|
|
rr := httptest.NewRecorder()
|
|
r, err := http.NewRequest(http.MethodGet, path.Join(acmeChallengeURI, tokenName), nil)
|
|
assert.NoError(t, err)
|
|
r.Host = "localhost"
|
|
r.RequestURI = path.Join(acmeChallengeURI, tokenName)
|
|
server.router.ServeHTTP(rr, r)
|
|
assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
|
|
|
|
rr = httptest.NewRecorder()
|
|
r, err = http.NewRequest(http.MethodGet, webAdminLoginPath, nil)
|
|
assert.NoError(t, err)
|
|
r.RequestURI = webAdminLoginPath
|
|
server.router.ServeHTTP(rr, r)
|
|
assert.Equal(t, http.StatusTemporaryRedirect, rr.Code, rr.Body.String())
|
|
|
|
rr = httptest.NewRecorder()
|
|
r, err = http.NewRequest(http.MethodGet, webAdminLoginPath, nil)
|
|
assert.NoError(t, err)
|
|
r.RequestURI = webAdminLoginPath
|
|
r.Header.Set(forwardedHostHeader, "sftpgo.com")
|
|
server.router.ServeHTTP(rr, r)
|
|
assert.Equal(t, http.StatusTemporaryRedirect, rr.Code, rr.Body.String())
|
|
assert.Contains(t, rr.Body.String(), "https://sftpgo.com")
|
|
|
|
server.binding.Security.HTTPSHost = "myhost:1044"
|
|
rr = httptest.NewRecorder()
|
|
r, err = http.NewRequest(http.MethodGet, webAdminLoginPath, nil)
|
|
assert.NoError(t, err)
|
|
r.RequestURI = webAdminLoginPath
|
|
server.router.ServeHTTP(rr, r)
|
|
assert.Equal(t, http.StatusTemporaryRedirect, rr.Code, rr.Body.String())
|
|
assert.Contains(t, rr.Body.String(), "https://myhost:1044")
|
|
|
|
err = os.RemoveAll(acmeWebRoot)
|
|
assert.NoError(t, err)
|
|
}
|
|
|
|
func TestGetLogEventString(t *testing.T) {
|
|
assert.Equal(t, "Login failed", getLogEventString(notifier.LogEventTypeLoginFailed))
|
|
assert.Equal(t, "Login with non-existent user", getLogEventString(notifier.LogEventTypeLoginNoUser))
|
|
assert.Equal(t, "No login tried", getLogEventString(notifier.LogEventTypeNoLoginTried))
|
|
assert.Equal(t, "Algorithm negotiation failed", getLogEventString(notifier.LogEventTypeNotNegotiated))
|
|
assert.Equal(t, "Login succeeded", getLogEventString(notifier.LogEventTypeLoginOK))
|
|
assert.Empty(t, getLogEventString(0))
|
|
}
|
|
|
|
func TestUserQuotaUsage(t *testing.T) {
|
|
usage := userQuotaUsage{
|
|
QuotaSize: 100,
|
|
}
|
|
require.True(t, usage.HasQuotaInfo())
|
|
require.NotEmpty(t, usage.GetQuotaSize())
|
|
providerConf := dataprovider.GetProviderConfig()
|
|
quotaTracking := dataprovider.GetQuotaTracking()
|
|
providerConf.TrackQuota = 0
|
|
err := dataprovider.Close()
|
|
assert.NoError(t, err)
|
|
err = dataprovider.Initialize(providerConf, configDir, true)
|
|
assert.NoError(t, err)
|
|
err = dataprovider.Close()
|
|
assert.NoError(t, err)
|
|
assert.False(t, usage.HasQuotaInfo())
|
|
providerConf.TrackQuota = quotaTracking
|
|
err = dataprovider.Initialize(providerConf, configDir, true)
|
|
assert.NoError(t, err)
|
|
usage.QuotaSize = 0
|
|
assert.False(t, usage.HasQuotaInfo())
|
|
assert.Empty(t, usage.GetQuotaSize())
|
|
assert.Equal(t, 0, usage.GetQuotaSizePercentage())
|
|
assert.False(t, usage.IsQuotaSizeLow())
|
|
assert.False(t, usage.IsDiskQuotaLow())
|
|
assert.False(t, usage.IsQuotaLow())
|
|
usage.UsedQuotaSize = 9
|
|
assert.NotEmpty(t, usage.GetQuotaSize())
|
|
usage.QuotaSize = 10
|
|
assert.True(t, usage.IsQuotaSizeLow())
|
|
assert.True(t, usage.IsDiskQuotaLow())
|
|
assert.True(t, usage.IsQuotaLow())
|
|
usage.DownloadDataTransfer = 1
|
|
assert.True(t, usage.HasQuotaInfo())
|
|
assert.True(t, usage.HasTranferQuota())
|
|
assert.Empty(t, usage.GetQuotaFiles())
|
|
assert.Equal(t, 0, usage.GetQuotaFilesPercentage())
|
|
usage.QuotaFiles = 1
|
|
assert.NotEmpty(t, usage.GetQuotaFiles())
|
|
usage.QuotaFiles = 0
|
|
usage.UsedQuotaFiles = 9
|
|
assert.NotEmpty(t, usage.GetQuotaFiles())
|
|
usage.QuotaFiles = 10
|
|
usage.DownloadDataTransfer = 0
|
|
assert.True(t, usage.IsQuotaFilesLow())
|
|
assert.True(t, usage.IsDiskQuotaLow())
|
|
assert.False(t, usage.IsTotalTransferQuotaLow())
|
|
assert.False(t, usage.IsUploadTransferQuotaLow())
|
|
assert.False(t, usage.IsDownloadTransferQuotaLow())
|
|
assert.Equal(t, 0, usage.GetTotalTransferQuotaPercentage())
|
|
assert.Equal(t, 0, usage.GetUploadTransferQuotaPercentage())
|
|
assert.Equal(t, 0, usage.GetDownloadTransferQuotaPercentage())
|
|
assert.Empty(t, usage.GetTotalTransferQuota())
|
|
assert.Empty(t, usage.GetUploadTransferQuota())
|
|
assert.Empty(t, usage.GetDownloadTransferQuota())
|
|
usage.TotalDataTransfer = 3
|
|
usage.UsedUploadDataTransfer = 1 * 1048576
|
|
assert.NotEmpty(t, usage.GetTotalTransferQuota())
|
|
usage.TotalDataTransfer = 0
|
|
assert.NotEmpty(t, usage.GetTotalTransferQuota())
|
|
assert.NotEmpty(t, usage.GetUploadTransferQuota())
|
|
usage.UploadDataTransfer = 2
|
|
assert.NotEmpty(t, usage.GetUploadTransferQuota())
|
|
usage.UsedDownloadDataTransfer = 1 * 1048576
|
|
assert.NotEmpty(t, usage.GetDownloadTransferQuota())
|
|
usage.DownloadDataTransfer = 2
|
|
assert.NotEmpty(t, usage.GetDownloadTransferQuota())
|
|
assert.False(t, usage.IsTransferQuotaLow())
|
|
usage.UsedDownloadDataTransfer = 8 * 1048576
|
|
usage.TotalDataTransfer = 10
|
|
assert.True(t, usage.IsTotalTransferQuotaLow())
|
|
assert.True(t, usage.IsTransferQuotaLow())
|
|
usage.TotalDataTransfer = 0
|
|
usage.UploadDataTransfer = 0
|
|
usage.DownloadDataTransfer = 0
|
|
assert.False(t, usage.IsTransferQuotaLow())
|
|
usage.UploadDataTransfer = 10
|
|
usage.UsedUploadDataTransfer = 9 * 1048576
|
|
assert.True(t, usage.IsUploadTransferQuotaLow())
|
|
assert.True(t, usage.IsTransferQuotaLow())
|
|
usage.DownloadDataTransfer = 10
|
|
usage.UsedDownloadDataTransfer = 9 * 1048576
|
|
assert.True(t, usage.IsDownloadTransferQuotaLow())
|
|
assert.True(t, usage.IsTransferQuotaLow())
|
|
}
|
|
|
|
func TestShareRedirectURL(t *testing.T) {
|
|
shareID := util.GenerateUniqueID()
|
|
base := path.Join(webClientPubSharesPath, shareID)
|
|
next := path.Join(webClientPubSharesPath, shareID, "browse")
|
|
ok, res := checkShareRedirectURL(next, base)
|
|
assert.True(t, ok)
|
|
assert.Equal(t, next, res)
|
|
next = path.Join(webClientPubSharesPath, shareID, "browse") + "?a=b"
|
|
ok, res = checkShareRedirectURL(next, base)
|
|
assert.True(t, ok)
|
|
assert.Equal(t, next, res)
|
|
next = path.Join(webClientPubSharesPath, shareID)
|
|
ok, res = checkShareRedirectURL(next, base)
|
|
assert.True(t, ok)
|
|
assert.Equal(t, path.Join(base, "download"), res)
|
|
next = path.Join(webClientEditFilePath, shareID)
|
|
ok, res = checkShareRedirectURL(next, base)
|
|
assert.False(t, ok)
|
|
assert.Empty(t, res)
|
|
next = path.Join(webClientPubSharesPath, shareID) + "?compress=false&a=b"
|
|
ok, res = checkShareRedirectURL(next, base)
|
|
assert.True(t, ok)
|
|
assert.Equal(t, path.Join(base, "download?compress=false&a=b"), res)
|
|
next = path.Join(webClientPubSharesPath, shareID) + "?compress=true&b=c"
|
|
ok, res = checkShareRedirectURL(next, base)
|
|
assert.True(t, ok)
|
|
assert.Equal(t, path.Join(base, "download?compress=true&b=c"), res)
|
|
ok, res = checkShareRedirectURL("http://foo\x7f.com/ab", "http://foo\x7f.com/")
|
|
assert.False(t, ok)
|
|
assert.Empty(t, res)
|
|
ok, res = checkShareRedirectURL("http://foo.com/?foo\nbar", "http://foo.com")
|
|
assert.False(t, ok)
|
|
assert.Empty(t, res)
|
|
}
|
|
|
|
func TestI18NMessages(t *testing.T) {
|
|
msg := i18nListDirMsg(http.StatusForbidden)
|
|
require.Equal(t, util.I18nErrorDirList403, msg)
|
|
msg = i18nListDirMsg(http.StatusInternalServerError)
|
|
require.Equal(t, util.I18nErrorDirListGeneric, msg)
|
|
msg = i18nFsMsg(http.StatusForbidden)
|
|
require.Equal(t, util.I18nError403Message, msg)
|
|
msg = i18nFsMsg(http.StatusInternalServerError)
|
|
require.Equal(t, util.I18nErrorFsGeneric, msg)
|
|
}
|
|
|
|
func TestI18NErrors(t *testing.T) {
|
|
err := util.NewValidationError("error text")
|
|
errI18n := util.NewI18nError(err, util.I18nError500Message)
|
|
assert.ErrorIs(t, errI18n, util.ErrValidation)
|
|
assert.Equal(t, err.Error(), errI18n.Error())
|
|
assert.Equal(t, util.I18nError500Message, getI18NErrorString(errI18n, ""))
|
|
assert.Equal(t, util.I18nError500Message, errI18n.Message)
|
|
assert.Equal(t, "{}", errI18n.Args())
|
|
var e1 *util.ValidationError
|
|
assert.ErrorAs(t, errI18n, &e1)
|
|
var e2 *util.I18nError
|
|
assert.ErrorAs(t, errI18n, &e2)
|
|
err2 := util.NewI18nError(fs.ErrNotExist, util.I18nError500Message)
|
|
assert.ErrorIs(t, err2, &util.I18nError{})
|
|
assert.ErrorIs(t, err2, fs.ErrNotExist)
|
|
assert.NotErrorIs(t, err2, fs.ErrExist)
|
|
assert.Equal(t, util.I18nError403Message, getI18NErrorString(fs.ErrClosed, util.I18nError403Message))
|
|
errorString := getI18NErrorString(nil, util.I18nError500Message)
|
|
assert.Equal(t, util.I18nError500Message, errorString)
|
|
errI18nWrap := util.NewI18nError(errI18n, util.I18nError404Message)
|
|
assert.Equal(t, util.I18nError500Message, errI18nWrap.Message)
|
|
errI18n = util.NewI18nError(err, util.I18nError500Message, util.I18nErrorArgs(map[string]any{"a": "b"}))
|
|
assert.Equal(t, util.I18nError500Message, errI18n.Message)
|
|
assert.Equal(t, `{"a":"b"}`, errI18n.Args())
|
|
}
|
|
|
|
func getCSRFTokenFromBody(body io.Reader) (string, error) {
|
|
doc, err := html.Parse(body)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
|
|
var csrfToken string
|
|
var f func(*html.Node)
|
|
|
|
f = func(n *html.Node) {
|
|
if n.Type == html.ElementNode && n.Data == "input" {
|
|
var name, value string
|
|
for _, attr := range n.Attr {
|
|
if attr.Key == "value" {
|
|
value = attr.Val
|
|
}
|
|
if attr.Key == "name" {
|
|
name = attr.Val
|
|
}
|
|
}
|
|
if name == csrfFormToken {
|
|
csrfToken = value
|
|
return
|
|
}
|
|
}
|
|
|
|
for c := n.FirstChild; c != nil; c = c.NextSibling {
|
|
f(c)
|
|
}
|
|
}
|
|
|
|
f(doc)
|
|
|
|
if csrfToken == "" {
|
|
return "", errors.New("CSRF token not found")
|
|
}
|
|
|
|
return csrfToken, nil
|
|
}
|
|
|
|
func isSharedProviderSupported() bool {
|
|
// SQLite shares the implementation with other SQL-based provider but it makes no sense
|
|
// to use it outside test cases
|
|
switch dataprovider.GetProviderStatus().Driver {
|
|
case dataprovider.MySQLDataProviderName, dataprovider.PGSQLDataProviderName,
|
|
dataprovider.CockroachDataProviderName, dataprovider.SQLiteDataProviderName:
|
|
return true
|
|
default:
|
|
return false
|
|
}
|
|
}
|