2023-01-03 09:18:30 +00:00
|
|
|
// Copyright (C) 2019-2023 Nicola Murino
|
2022-07-17 18:16:00 +00:00
|
|
|
//
|
|
|
|
// This program is free software: you can redistribute it and/or modify
|
|
|
|
// it under the terms of the GNU Affero General Public License as published
|
|
|
|
// by the Free Software Foundation, version 3.
|
|
|
|
//
|
|
|
|
// This program is distributed in the hope that it will be useful,
|
|
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
// GNU Affero General Public License for more details.
|
|
|
|
//
|
|
|
|
// You should have received a copy of the GNU Affero General Public License
|
2023-01-03 09:18:30 +00:00
|
|
|
// along with this program. If not, see <https://www.gnu.org/licenses/>.
|
2022-07-17 18:16:00 +00:00
|
|
|
|
2021-01-17 21:29:08 +00:00
|
|
|
package httpd
|
|
|
|
|
|
|
|
import (
|
2021-02-03 07:55:28 +00:00
|
|
|
"errors"
|
2021-08-17 16:08:32 +00:00
|
|
|
"fmt"
|
2021-01-17 21:29:08 +00:00
|
|
|
"net/http"
|
2023-06-08 16:14:47 +00:00
|
|
|
"net/url"
|
2021-08-17 16:08:32 +00:00
|
|
|
"strings"
|
2021-01-17 21:29:08 +00:00
|
|
|
|
2021-03-05 17:50:45 +00:00
|
|
|
"github.com/go-chi/jwtauth/v5"
|
2022-11-16 18:04:50 +00:00
|
|
|
"github.com/lestrrat-go/jwx/v2/jwt"
|
2021-08-17 16:08:32 +00:00
|
|
|
"github.com/rs/xid"
|
2022-01-06 10:54:43 +00:00
|
|
|
"github.com/sftpgo/sdk"
|
2021-01-17 21:29:08 +00:00
|
|
|
|
2022-07-24 14:18:54 +00:00
|
|
|
"github.com/drakkan/sftpgo/v2/internal/common"
|
|
|
|
"github.com/drakkan/sftpgo/v2/internal/dataprovider"
|
|
|
|
"github.com/drakkan/sftpgo/v2/internal/logger"
|
|
|
|
"github.com/drakkan/sftpgo/v2/internal/util"
|
2021-01-17 21:29:08 +00:00
|
|
|
)
|
|
|
|
|
2021-05-06 19:35:43 +00:00
|
|
|
var (
|
2021-05-11 04:54:06 +00:00
|
|
|
forwardedProtoKey = &contextKey{"forwarded proto"}
|
|
|
|
errInvalidToken = errors.New("invalid JWT token")
|
2021-05-06 19:35:43 +00:00
|
|
|
)
|
2021-01-17 21:29:08 +00:00
|
|
|
|
2021-02-03 07:55:28 +00:00
|
|
|
type contextKey struct {
|
|
|
|
name string
|
|
|
|
}
|
|
|
|
|
|
|
|
func (k *contextKey) String() string {
|
|
|
|
return "context value " + k.name
|
|
|
|
}
|
2021-01-17 21:29:08 +00:00
|
|
|
|
2021-05-06 19:35:43 +00:00
|
|
|
func validateJWTToken(w http.ResponseWriter, r *http.Request, audience tokenAudience) error {
|
|
|
|
token, _, err := jwtauth.FromContext(r.Context())
|
|
|
|
|
|
|
|
var redirectPath string
|
|
|
|
if audience == tokenAudienceWebAdmin {
|
2022-02-13 13:30:20 +00:00
|
|
|
redirectPath = webAdminLoginPath
|
2021-05-06 19:35:43 +00:00
|
|
|
} else {
|
|
|
|
redirectPath = webClientLoginPath
|
2023-06-08 16:14:47 +00:00
|
|
|
if uri := r.RequestURI; strings.HasPrefix(uri, webClientFilesPath) {
|
2023-10-20 18:31:17 +00:00
|
|
|
redirectPath += "?next=" + url.QueryEscape(uri) //nolint:goconst
|
2023-06-08 16:14:47 +00:00
|
|
|
}
|
2021-05-06 19:35:43 +00:00
|
|
|
}
|
2021-01-17 21:29:08 +00:00
|
|
|
|
2021-06-05 14:07:09 +00:00
|
|
|
isAPIToken := (audience == tokenAudienceAPI || audience == tokenAudienceAPIUser)
|
|
|
|
|
2022-03-24 21:03:17 +00:00
|
|
|
doRedirect := func(message string, err error) {
|
2021-06-05 14:07:09 +00:00
|
|
|
if isAPIToken {
|
2022-03-24 21:03:17 +00:00
|
|
|
sendAPIResponse(w, r, err, message, http.StatusUnauthorized)
|
2021-05-06 19:35:43 +00:00
|
|
|
} else {
|
|
|
|
http.Redirect(w, r, redirectPath, http.StatusFound)
|
2021-01-17 21:29:08 +00:00
|
|
|
}
|
2022-03-24 21:03:17 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if err != nil || token == nil {
|
|
|
|
logger.Debug(logSender, "", "error getting jwt token: %v", err)
|
|
|
|
doRedirect(http.StatusText(http.StatusUnauthorized), err)
|
2021-05-06 19:35:43 +00:00
|
|
|
return errInvalidToken
|
|
|
|
}
|
2021-01-17 21:29:08 +00:00
|
|
|
|
2021-05-06 19:35:43 +00:00
|
|
|
err = jwt.Validate(token)
|
|
|
|
if err != nil {
|
|
|
|
logger.Debug(logSender, "", "error validating jwt token: %v", err)
|
2022-03-24 21:03:17 +00:00
|
|
|
doRedirect(http.StatusText(http.StatusUnauthorized), err)
|
2021-05-06 19:35:43 +00:00
|
|
|
return errInvalidToken
|
|
|
|
}
|
2021-09-04 10:11:04 +00:00
|
|
|
if isTokenInvalidated(r) {
|
|
|
|
logger.Debug(logSender, "", "the token has been invalidated")
|
2022-03-24 21:03:17 +00:00
|
|
|
doRedirect("Your token is no longer valid", nil)
|
2021-05-06 19:35:43 +00:00
|
|
|
return errInvalidToken
|
|
|
|
}
|
2021-09-04 10:11:04 +00:00
|
|
|
// a user with a partial token will be always redirected to the appropriate two factor auth page
|
|
|
|
if err := checkPartialAuth(w, r, audience, token.Audience()); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2022-05-19 17:49:51 +00:00
|
|
|
if !util.Contains(token.Audience(), audience) {
|
2023-02-12 07:29:53 +00:00
|
|
|
logger.Debug(logSender, "", "the token is not valid for audience %q", audience)
|
2022-03-24 21:03:17 +00:00
|
|
|
doRedirect("Your token audience is not valid", nil)
|
|
|
|
return errInvalidToken
|
|
|
|
}
|
2022-05-28 11:28:50 +00:00
|
|
|
if tokenValidationMode != tokenValidationNoIPMatch {
|
|
|
|
ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)
|
|
|
|
if !util.Contains(token.Audience(), ipAddr) {
|
2023-02-12 07:29:53 +00:00
|
|
|
logger.Debug(logSender, "", "the token with id %q is not valid for the ip address %q", token.JwtID(), ipAddr)
|
2022-05-28 11:28:50 +00:00
|
|
|
doRedirect("Your token is not valid", nil)
|
|
|
|
return errInvalidToken
|
|
|
|
}
|
2021-05-06 19:35:43 +00:00
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-03-19 20:44:27 +00:00
|
|
|
func (s *httpdServer) validateJWTPartialToken(w http.ResponseWriter, r *http.Request, audience tokenAudience) error {
|
2021-09-04 10:11:04 +00:00
|
|
|
token, _, err := jwtauth.FromContext(r.Context())
|
|
|
|
var notFoundFunc func(w http.ResponseWriter, r *http.Request, err error)
|
|
|
|
if audience == tokenAudienceWebAdminPartial {
|
2022-03-19 20:44:27 +00:00
|
|
|
notFoundFunc = s.renderNotFoundPage
|
2021-09-04 10:11:04 +00:00
|
|
|
} else {
|
2022-03-19 20:44:27 +00:00
|
|
|
notFoundFunc = s.renderClientNotFoundPage
|
2021-09-04 10:11:04 +00:00
|
|
|
}
|
|
|
|
if err != nil || token == nil || jwt.Validate(token) != nil {
|
|
|
|
notFoundFunc(w, r, nil)
|
|
|
|
return errInvalidToken
|
|
|
|
}
|
|
|
|
if isTokenInvalidated(r) {
|
|
|
|
notFoundFunc(w, r, nil)
|
|
|
|
return errInvalidToken
|
|
|
|
}
|
2022-05-19 17:49:51 +00:00
|
|
|
if !util.Contains(token.Audience(), audience) {
|
2023-02-27 18:02:43 +00:00
|
|
|
logger.Debug(logSender, "", "the token is not valid for audience %q", audience)
|
2021-09-04 10:11:04 +00:00
|
|
|
notFoundFunc(w, r, nil)
|
|
|
|
return errInvalidToken
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-03-19 20:44:27 +00:00
|
|
|
func (s *httpdServer) jwtAuthenticatorPartial(audience tokenAudience) func(next http.Handler) http.Handler {
|
2021-09-04 10:11:04 +00:00
|
|
|
return func(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
2022-03-19 20:44:27 +00:00
|
|
|
if err := s.validateJWTPartialToken(w, r, audience); err != nil {
|
2021-09-04 10:11:04 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// Token is authenticated, pass it through
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-05-06 19:35:43 +00:00
|
|
|
func jwtAuthenticatorAPI(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
if err := validateJWTToken(w, r, tokenAudienceAPI); err != nil {
|
2021-01-26 21:35:36 +00:00
|
|
|
return
|
|
|
|
}
|
2021-01-17 21:29:08 +00:00
|
|
|
|
|
|
|
// Token is authenticated, pass it through
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2021-06-05 14:07:09 +00:00
|
|
|
func jwtAuthenticatorAPIUser(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
if err := validateJWTToken(w, r, tokenAudienceAPIUser); err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
// Token is authenticated, pass it through
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2021-05-06 19:35:43 +00:00
|
|
|
func jwtAuthenticatorWebAdmin(next http.Handler) http.Handler {
|
2021-01-17 21:29:08 +00:00
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
2021-05-06 19:35:43 +00:00
|
|
|
if err := validateJWTToken(w, r, tokenAudienceWebAdmin); err != nil {
|
2021-01-17 21:29:08 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2021-05-06 19:35:43 +00:00
|
|
|
// Token is authenticated, pass it through
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func jwtAuthenticatorWebClient(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
if err := validateJWTToken(w, r, tokenAudienceWebClient); err != nil {
|
2021-01-26 21:35:36 +00:00
|
|
|
return
|
|
|
|
}
|
2021-01-17 21:29:08 +00:00
|
|
|
|
|
|
|
// Token is authenticated, pass it through
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2022-03-19 20:44:27 +00:00
|
|
|
func (s *httpdServer) checkHTTPUserPerm(perm string) func(next http.Handler) http.Handler {
|
2021-05-06 19:35:43 +00:00
|
|
|
return func(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
_, claims, err := jwtauth.FromContext(r.Context())
|
|
|
|
if err != nil {
|
2021-06-05 14:07:09 +00:00
|
|
|
if isWebRequest(r) {
|
2022-03-19 20:44:27 +00:00
|
|
|
s.renderClientBadRequestPage(w, r, err)
|
2021-06-05 14:07:09 +00:00
|
|
|
} else {
|
|
|
|
sendAPIResponse(w, r, err, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
|
|
|
|
}
|
2021-05-06 19:35:43 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
tokenClaims := jwtTokenClaims{}
|
|
|
|
tokenClaims.Decode(claims)
|
|
|
|
// for web client perms are negated and not granted
|
|
|
|
if tokenClaims.hasPerm(perm) {
|
2021-06-05 14:07:09 +00:00
|
|
|
if isWebRequest(r) {
|
2023-12-10 15:40:13 +00:00
|
|
|
s.renderClientForbiddenPage(w, r, errors.New("you don't have permission for this action"))
|
2021-06-05 14:07:09 +00:00
|
|
|
} else {
|
|
|
|
sendAPIResponse(w, r, nil, http.StatusText(http.StatusForbidden), http.StatusForbidden)
|
|
|
|
}
|
2021-05-06 19:35:43 +00:00
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-12-11 16:15:34 +00:00
|
|
|
// checkAuthRequirements checks if the user must set a second factor auth or change the password
|
|
|
|
func (s *httpdServer) checkAuthRequirements(next http.Handler) http.Handler {
|
2022-03-06 15:57:13 +00:00
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
_, claims, err := jwtauth.FromContext(r.Context())
|
|
|
|
if err != nil {
|
|
|
|
if isWebRequest(r) {
|
2022-03-19 20:44:27 +00:00
|
|
|
s.renderClientBadRequestPage(w, r, err)
|
2022-03-06 15:57:13 +00:00
|
|
|
} else {
|
|
|
|
sendAPIResponse(w, r, err, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
|
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
|
|
|
tokenClaims := jwtTokenClaims{}
|
|
|
|
tokenClaims.Decode(claims)
|
2022-12-11 16:15:34 +00:00
|
|
|
if tokenClaims.MustSetTwoFactorAuth || tokenClaims.MustChangePassword {
|
2023-12-10 15:40:13 +00:00
|
|
|
var err error
|
2022-12-11 16:15:34 +00:00
|
|
|
if tokenClaims.MustSetTwoFactorAuth {
|
2023-12-12 17:04:14 +00:00
|
|
|
protocols := strings.Join(tokenClaims.RequiredTwoFactorProtocols, ", ")
|
2023-12-10 15:40:13 +00:00
|
|
|
err = util.NewI18nError(
|
|
|
|
util.NewGenericError(
|
|
|
|
fmt.Sprintf("Two-factor authentication requirements not met, please configure two-factor authentication for the following protocols: %v",
|
2023-12-12 17:04:14 +00:00
|
|
|
protocols)),
|
2023-12-10 15:40:13 +00:00
|
|
|
util.I18nError2FARequired,
|
2023-12-12 17:04:14 +00:00
|
|
|
util.I18nErrorArgs(map[string]any{
|
|
|
|
"val": protocols,
|
|
|
|
}),
|
2023-12-10 15:40:13 +00:00
|
|
|
)
|
2022-12-11 16:15:34 +00:00
|
|
|
} else {
|
2023-12-10 15:40:13 +00:00
|
|
|
err = util.NewI18nError(
|
|
|
|
util.NewGenericError("Password change required. Please set a new password to continue to use your account"),
|
|
|
|
util.I18nErrorChangePwdRequired,
|
|
|
|
)
|
2022-12-11 16:15:34 +00:00
|
|
|
}
|
2022-03-06 15:57:13 +00:00
|
|
|
if isWebRequest(r) {
|
2023-12-10 15:40:13 +00:00
|
|
|
s.renderClientForbiddenPage(w, r, err)
|
2022-03-06 15:57:13 +00:00
|
|
|
} else {
|
2023-12-10 15:40:13 +00:00
|
|
|
sendAPIResponse(w, r, err, "", http.StatusForbidden)
|
2022-03-06 15:57:13 +00:00
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2022-03-19 20:44:27 +00:00
|
|
|
func (s *httpdServer) requireBuiltinLogin(next http.Handler) http.Handler {
|
2022-02-13 13:30:20 +00:00
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
if isLoggedInWithOIDC(r) {
|
|
|
|
if isWebClientRequest(r) {
|
2023-12-10 15:40:13 +00:00
|
|
|
s.renderClientForbiddenPage(w, r, util.NewI18nError(
|
|
|
|
util.NewGenericError("This feature is not available if you are logged in with OpenID"),
|
|
|
|
util.I18nErrorNoOIDCFeature,
|
|
|
|
))
|
2022-02-13 13:30:20 +00:00
|
|
|
} else {
|
2022-03-19 20:44:27 +00:00
|
|
|
s.renderForbiddenPage(w, r, "This feature is not available if you are logged in with OpenID")
|
2022-02-13 13:30:20 +00:00
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2022-03-19 20:44:27 +00:00
|
|
|
func (s *httpdServer) checkPerm(perm string) func(next http.Handler) http.Handler {
|
2021-01-17 21:29:08 +00:00
|
|
|
return func(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
_, claims, err := jwtauth.FromContext(r.Context())
|
|
|
|
if err != nil {
|
2021-05-06 19:35:43 +00:00
|
|
|
if isWebRequest(r) {
|
2022-03-19 20:44:27 +00:00
|
|
|
s.renderBadRequestPage(w, r, err)
|
2021-01-17 21:29:08 +00:00
|
|
|
} else {
|
|
|
|
sendAPIResponse(w, r, err, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
|
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
|
|
|
tokenClaims := jwtTokenClaims{}
|
|
|
|
tokenClaims.Decode(claims)
|
|
|
|
|
|
|
|
if !tokenClaims.hasPerm(perm) {
|
2021-05-06 19:35:43 +00:00
|
|
|
if isWebRequest(r) {
|
2022-03-19 20:44:27 +00:00
|
|
|
s.renderForbiddenPage(w, r, "You don't have permission for this action")
|
2021-01-17 21:29:08 +00:00
|
|
|
} else {
|
|
|
|
sendAPIResponse(w, r, nil, http.StatusText(http.StatusForbidden), http.StatusForbidden)
|
|
|
|
}
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
2021-02-03 07:55:28 +00:00
|
|
|
|
|
|
|
func verifyCSRFHeader(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
tokenString := r.Header.Get(csrfHeaderToken)
|
|
|
|
token, err := jwtauth.VerifyToken(csrfTokenAuth, tokenString)
|
|
|
|
if err != nil || token == nil {
|
|
|
|
logger.Debug(logSender, "", "error validating CSRF header: %v", err)
|
|
|
|
sendAPIResponse(w, r, err, "Invalid token", http.StatusForbidden)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-05-19 17:49:51 +00:00
|
|
|
if !util.Contains(token.Audience(), tokenAudienceCSRF) {
|
2022-03-26 07:41:50 +00:00
|
|
|
logger.Debug(logSender, "", "error validating CSRF header token audience")
|
|
|
|
sendAPIResponse(w, r, errors.New("the token is not valid"), "", http.StatusForbidden)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2022-12-16 18:14:56 +00:00
|
|
|
if tokenValidationMode != tokenValidationNoIPMatch {
|
|
|
|
if !util.Contains(token.Audience(), util.GetIPFromRemoteAddress(r.RemoteAddr)) {
|
|
|
|
logger.Debug(logSender, "", "error validating CSRF header IP audience")
|
|
|
|
sendAPIResponse(w, r, errors.New("the token is not valid"), "", http.StatusForbidden)
|
|
|
|
return
|
|
|
|
}
|
2021-02-03 07:55:28 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
})
|
|
|
|
}
|
2021-05-30 21:07:46 +00:00
|
|
|
|
2022-09-25 17:48:55 +00:00
|
|
|
func checkNodeToken(tokenAuth *jwtauth.JWTAuth) func(next http.Handler) http.Handler {
|
|
|
|
return func(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
token := r.Header.Get(dataprovider.NodeTokenHeader)
|
|
|
|
if token == "" {
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if len(token) > 7 && strings.ToUpper(token[0:6]) == "BEARER" {
|
|
|
|
token = token[7:]
|
|
|
|
}
|
2022-11-16 18:04:50 +00:00
|
|
|
admin, role, err := dataprovider.AuthenticateNodeToken(token)
|
2022-10-02 07:51:47 +00:00
|
|
|
if err != nil {
|
2022-09-25 17:48:55 +00:00
|
|
|
logger.Debug(logSender, "", "unable to authenticate node token %q: %v", token, err)
|
|
|
|
sendAPIResponse(w, r, fmt.Errorf("the provided token cannot be authenticated"), "", http.StatusUnauthorized)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
c := jwtTokenClaims{
|
2022-10-02 07:51:47 +00:00
|
|
|
Username: admin,
|
2022-09-25 17:48:55 +00:00
|
|
|
Permissions: []string{dataprovider.PermAdminViewConnections, dataprovider.PermAdminCloseConnections},
|
|
|
|
NodeID: dataprovider.GetNodeName(),
|
2022-11-16 18:04:50 +00:00
|
|
|
Role: role,
|
2022-09-25 17:48:55 +00:00
|
|
|
}
|
|
|
|
resp, err := c.createTokenResponse(tokenAuth, tokenAudienceAPI, util.GetIPFromRemoteAddress(r.RemoteAddr))
|
|
|
|
if err != nil {
|
|
|
|
sendAPIResponse(w, r, err, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
r.Header.Set("Authorization", fmt.Sprintf("Bearer %v", resp["access_token"]))
|
|
|
|
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-08-17 16:08:32 +00:00
|
|
|
func checkAPIKeyAuth(tokenAuth *jwtauth.JWTAuth, scope dataprovider.APIKeyScope) func(next http.Handler) http.Handler {
|
|
|
|
return func(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
apiKey := r.Header.Get("X-SFTPGO-API-KEY")
|
|
|
|
if apiKey == "" {
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
keyParams := strings.SplitN(apiKey, ".", 3)
|
|
|
|
if len(keyParams) < 2 {
|
2023-02-27 18:02:43 +00:00
|
|
|
logger.Debug(logSender, "", "invalid api key %q", apiKey)
|
2021-08-17 16:08:32 +00:00
|
|
|
sendAPIResponse(w, r, errors.New("the provided api key is not valid"), "", http.StatusBadRequest)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
keyID := keyParams[0]
|
|
|
|
key := keyParams[1]
|
|
|
|
apiUser := ""
|
|
|
|
if len(keyParams) > 2 {
|
|
|
|
apiUser = keyParams[2]
|
|
|
|
}
|
|
|
|
|
|
|
|
k, err := dataprovider.APIKeyExists(keyID)
|
|
|
|
if err != nil {
|
2023-03-04 12:55:48 +00:00
|
|
|
handleDefenderEventLoginFailed(util.GetIPFromRemoteAddress(r.RemoteAddr), util.NewRecordNotFoundError("invalid api key")) //nolint:errcheck
|
2023-02-27 18:02:43 +00:00
|
|
|
logger.Debug(logSender, "invalid api key %q: %v", apiKey, err)
|
2021-08-17 16:08:32 +00:00
|
|
|
sendAPIResponse(w, r, errors.New("the provided api key is not valid"), "", http.StatusBadRequest)
|
|
|
|
return
|
|
|
|
}
|
2023-09-08 16:54:11 +00:00
|
|
|
if k.Scope != scope {
|
|
|
|
handleDefenderEventLoginFailed(util.GetIPFromRemoteAddress(r.RemoteAddr), dataprovider.ErrInvalidCredentials) //nolint:errcheck
|
2023-09-08 17:55:45 +00:00
|
|
|
logger.Debug(logSender, "", "unable to authenticate api key %q: invalid scope: got %d, wanted: %d",
|
2023-09-08 16:54:11 +00:00
|
|
|
apiKey, k.Scope, scope)
|
|
|
|
sendAPIResponse(w, r, fmt.Errorf("the provided api key is invalid for this request"), "", http.StatusForbidden)
|
|
|
|
return
|
|
|
|
}
|
2021-08-17 16:08:32 +00:00
|
|
|
if err := k.Authenticate(key); err != nil {
|
2023-03-04 12:55:48 +00:00
|
|
|
handleDefenderEventLoginFailed(util.GetIPFromRemoteAddress(r.RemoteAddr), dataprovider.ErrInvalidCredentials) //nolint:errcheck
|
2023-02-27 18:02:43 +00:00
|
|
|
logger.Debug(logSender, "", "unable to authenticate api key %q: %v", apiKey, err)
|
2021-08-17 16:08:32 +00:00
|
|
|
sendAPIResponse(w, r, fmt.Errorf("the provided api key cannot be authenticated"), "", http.StatusUnauthorized)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if scope == dataprovider.APIKeyScopeAdmin {
|
|
|
|
if k.Admin != "" {
|
|
|
|
apiUser = k.Admin
|
|
|
|
}
|
|
|
|
if err := authenticateAdminWithAPIKey(apiUser, keyID, tokenAuth, r); err != nil {
|
2023-03-04 12:55:48 +00:00
|
|
|
handleDefenderEventLoginFailed(util.GetIPFromRemoteAddress(r.RemoteAddr), err) //nolint:errcheck
|
2023-02-27 18:02:43 +00:00
|
|
|
logger.Debug(logSender, "", "unable to authenticate admin %q associated with api key %q: %v",
|
2021-08-17 16:08:32 +00:00
|
|
|
apiUser, apiKey, err)
|
|
|
|
sendAPIResponse(w, r, fmt.Errorf("the admin associated with the provided api key cannot be authenticated"),
|
|
|
|
"", http.StatusUnauthorized)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if k.User != "" {
|
|
|
|
apiUser = k.User
|
|
|
|
}
|
|
|
|
if err := authenticateUserWithAPIKey(apiUser, keyID, tokenAuth, r); err != nil {
|
2023-02-27 18:02:43 +00:00
|
|
|
logger.Debug(logSender, "", "unable to authenticate user %q associated with api key %q: %v",
|
2021-08-17 16:08:32 +00:00
|
|
|
apiUser, apiKey, err)
|
2023-03-04 12:55:48 +00:00
|
|
|
updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: apiUser}},
|
|
|
|
dataprovider.LoginMethodPassword, util.GetIPFromRemoteAddress(r.RemoteAddr), err)
|
2021-08-17 16:08:32 +00:00
|
|
|
code := http.StatusUnauthorized
|
|
|
|
if errors.Is(err, common.ErrInternalFailure) {
|
|
|
|
code = http.StatusInternalServerError
|
|
|
|
}
|
|
|
|
sendAPIResponse(w, r, errors.New("the user associated with the provided api key cannot be authenticated"),
|
|
|
|
"", code)
|
|
|
|
return
|
|
|
|
}
|
2023-03-04 12:55:48 +00:00
|
|
|
updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: apiUser}},
|
|
|
|
dataprovider.LoginMethodPassword, util.GetIPFromRemoteAddress(r.RemoteAddr), nil)
|
2021-08-17 16:08:32 +00:00
|
|
|
}
|
|
|
|
dataprovider.UpdateAPIKeyLastUse(&k) //nolint:errcheck
|
|
|
|
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func forbidAPIKeyAuthentication(next http.Handler) http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
claims, err := getTokenClaims(r)
|
|
|
|
if err != nil || claims.Username == "" {
|
|
|
|
sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
if claims.APIKeyID != "" {
|
|
|
|
sendAPIResponse(w, r, nil, "API key authentication is not allowed", http.StatusForbidden)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
next.ServeHTTP(w, r)
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
func authenticateAdminWithAPIKey(username, keyID string, tokenAuth *jwtauth.JWTAuth, r *http.Request) error {
|
|
|
|
if username == "" {
|
|
|
|
return errors.New("the provided key is not associated with any admin and no username was provided")
|
|
|
|
}
|
|
|
|
admin, err := dataprovider.AdminExists(username)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if !admin.Filters.AllowAPIKeyAuth {
|
2023-02-27 18:02:43 +00:00
|
|
|
return fmt.Errorf("API key authentication disabled for admin %q", admin.Username)
|
2021-08-17 16:08:32 +00:00
|
|
|
}
|
2022-03-24 21:03:17 +00:00
|
|
|
ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)
|
|
|
|
if err := admin.CanLogin(ipAddr); err != nil {
|
2021-08-17 16:08:32 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
c := jwtTokenClaims{
|
|
|
|
Username: admin.Username,
|
|
|
|
Permissions: admin.Permissions,
|
|
|
|
Signature: admin.GetSignature(),
|
2022-12-03 10:45:27 +00:00
|
|
|
Role: admin.Role,
|
2021-08-17 16:08:32 +00:00
|
|
|
APIKeyID: keyID,
|
|
|
|
}
|
|
|
|
|
2022-03-24 21:03:17 +00:00
|
|
|
resp, err := c.createTokenResponse(tokenAuth, tokenAudienceAPI, ipAddr)
|
2021-08-17 16:08:32 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
r.Header.Set("Authorization", fmt.Sprintf("Bearer %v", resp["access_token"]))
|
2021-08-19 13:51:43 +00:00
|
|
|
dataprovider.UpdateAdminLastLogin(&admin)
|
2021-08-17 16:08:32 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
func authenticateUserWithAPIKey(username, keyID string, tokenAuth *jwtauth.JWTAuth, r *http.Request) error {
|
|
|
|
ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)
|
2022-02-19 09:53:35 +00:00
|
|
|
protocol := common.ProtocolHTTP
|
2021-08-17 16:08:32 +00:00
|
|
|
if username == "" {
|
|
|
|
err := errors.New("the provided key is not associated with any user and no username was provided")
|
2022-02-19 09:53:35 +00:00
|
|
|
updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},
|
|
|
|
dataprovider.LoginMethodPassword, ipAddr, err)
|
2021-08-17 16:08:32 +00:00
|
|
|
return err
|
|
|
|
}
|
2022-02-19 09:53:35 +00:00
|
|
|
if err := common.Config.ExecutePostConnectHook(ipAddr, protocol); err != nil {
|
2021-08-17 16:08:32 +00:00
|
|
|
return err
|
|
|
|
}
|
2022-11-16 18:04:50 +00:00
|
|
|
user, err := dataprovider.GetUserWithGroupSettings(username, "")
|
2021-08-17 16:08:32 +00:00
|
|
|
if err != nil {
|
2022-02-19 09:53:35 +00:00
|
|
|
updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},
|
|
|
|
dataprovider.LoginMethodPassword, ipAddr, err)
|
2021-08-17 16:08:32 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
if !user.Filters.AllowAPIKeyAuth {
|
2023-02-27 18:02:43 +00:00
|
|
|
err := fmt.Errorf("API key authentication disabled for user %q", user.Username)
|
2022-02-19 09:53:35 +00:00
|
|
|
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err)
|
2021-08-17 16:08:32 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
if err := user.CheckLoginConditions(); err != nil {
|
2022-02-19 09:53:35 +00:00
|
|
|
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err)
|
2021-08-17 16:08:32 +00:00
|
|
|
return err
|
|
|
|
}
|
2022-02-19 09:53:35 +00:00
|
|
|
connectionID := fmt.Sprintf("%v_%v", protocol, xid.New().String())
|
2022-04-14 17:07:41 +00:00
|
|
|
if err := checkHTTPClientUser(&user, r, connectionID, true); err != nil {
|
2022-02-19 09:53:35 +00:00
|
|
|
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err)
|
2021-08-17 16:08:32 +00:00
|
|
|
return err
|
|
|
|
}
|
2022-02-24 15:11:35 +00:00
|
|
|
defer user.CloseFs() //nolint:errcheck
|
|
|
|
err = user.CheckFsRoot(connectionID)
|
|
|
|
if err != nil {
|
|
|
|
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure)
|
|
|
|
return common.ErrInternalFailure
|
2021-08-17 16:08:32 +00:00
|
|
|
}
|
|
|
|
c := jwtTokenClaims{
|
|
|
|
Username: user.Username,
|
|
|
|
Permissions: user.Filters.WebClient,
|
|
|
|
Signature: user.GetSignature(),
|
2022-12-03 10:45:27 +00:00
|
|
|
Role: user.Role,
|
2021-08-17 16:08:32 +00:00
|
|
|
APIKeyID: keyID,
|
|
|
|
}
|
|
|
|
|
2022-03-24 21:03:17 +00:00
|
|
|
resp, err := c.createTokenResponse(tokenAuth, tokenAudienceAPIUser, ipAddr)
|
2021-08-17 16:08:32 +00:00
|
|
|
if err != nil {
|
2022-02-19 09:53:35 +00:00
|
|
|
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure)
|
2021-08-17 16:08:32 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
r.Header.Set("Authorization", fmt.Sprintf("Bearer %v", resp["access_token"]))
|
2021-08-19 13:51:43 +00:00
|
|
|
dataprovider.UpdateLastLogin(&user)
|
2022-02-19 09:53:35 +00:00
|
|
|
updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, nil)
|
2021-08-17 16:08:32 +00:00
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
2021-09-04 10:11:04 +00:00
|
|
|
|
|
|
|
func checkPartialAuth(w http.ResponseWriter, r *http.Request, audience string, tokenAudience []string) error {
|
2022-05-19 17:49:51 +00:00
|
|
|
if audience == tokenAudienceWebAdmin && util.Contains(tokenAudience, tokenAudienceWebAdminPartial) {
|
2021-09-04 10:11:04 +00:00
|
|
|
http.Redirect(w, r, webAdminTwoFactorPath, http.StatusFound)
|
|
|
|
return errInvalidToken
|
|
|
|
}
|
2022-05-19 17:49:51 +00:00
|
|
|
if audience == tokenAudienceWebClient && util.Contains(tokenAudience, tokenAudienceWebClientPartial) {
|
2021-09-04 10:11:04 +00:00
|
|
|
http.Redirect(w, r, webClientTwoFactorPath, http.StatusFound)
|
|
|
|
return errInvalidToken
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|