diff --git a/common/common.go b/common/common.go index 24b4aaf5..9badd1fd 100644 --- a/common/common.go +++ b/common/common.go @@ -606,7 +606,7 @@ func (conns *ActiveConnections) checkIdles() { logger.ConnectionFailedLog("", ip, dataprovider.LoginMethodNoAuthTryed, c.GetProtocol(), "client idle") metrics.AddNoAuthTryed() AddDefenderEvent(ip, HostEventNoLoginTried) - dataprovider.ExecutePostLoginHook("", dataprovider.LoginMethodNoAuthTryed, ip, c.GetProtocol(), + dataprovider.ExecutePostLoginHook(&dataprovider.User{}, dataprovider.LoginMethodNoAuthTryed, ip, c.GetProtocol(), dataprovider.ErrNoAuthTryed) } }(c, isUnauthenticatedFTPUser) diff --git a/dataprovider/dataprovider.go b/dataprovider/dataprovider.go index cdbd5ac1..850ff95a 100644 --- a/dataprovider/dataprovider.go +++ b/dataprovider/dataprovider.go @@ -712,7 +712,7 @@ func UserExists(username string) (User, error) { func AddUser(user *User) error { err := provider.addUser(user) if err == nil { - go executeAction(operationAdd, *user) + executeAction(operationAdd, user) } return err } @@ -722,7 +722,7 @@ func UpdateUser(user *User) error { err := provider.updateUser(user) if err == nil { RemoveCachedWebDAVUser(user.Username) - go executeAction(operationUpdate, *user) + executeAction(operationUpdate, user) } return err } @@ -736,7 +736,7 @@ func DeleteUser(username string) error { err = provider.deleteUser(&user) if err == nil { RemoveCachedWebDAVUser(user.Username) - go executeAction(operationDelete, user) + executeAction(operationDelete, &user) } return err } @@ -1970,7 +1970,7 @@ func executePreLoginHook(username, loginMethod, ip, protocol string) (User, erro } // ExecutePostLoginHook executes the post login hook if defined -func ExecutePostLoginHook(username, loginMethod, ip, protocol string, err error) { +func ExecutePostLoginHook(user *User, loginMethod, ip, protocol string, err error) { if config.PostLoginHook == "" { return } @@ -1981,10 +1981,17 @@ func ExecutePostLoginHook(username, loginMethod, ip, protocol string, err error) return } - go func(username, loginMethod, ip, protocol string, err error) { - status := 0 + go func() { + status := "0" if err == nil { - status = 1 + status = "1" + } + + user.HideConfidentialData() + userAsJSON, err := json.Marshal(user) + if err != nil { + providerLog(logger.LevelWarn, "error serializing user in post login hook: %v", err) + return } if strings.HasPrefix(config.PostLoginHook, "http") { var url *url.URL @@ -1993,22 +2000,17 @@ func ExecutePostLoginHook(username, loginMethod, ip, protocol string, err error) providerLog(logger.LevelDebug, "Invalid post-login hook %#v", config.PostLoginHook) return } - postReq := make(map[string]interface{}) - postReq["username"] = username - postReq["login_method"] = loginMethod - postReq["ip"] = ip - postReq["protocol"] = protocol - postReq["status"] = status + q := url.Query() + q.Add("login_method", loginMethod) + q.Add("ip", ip) + q.Add("protocol", protocol) + q.Add("status", status) + url.RawQuery = q.Encode() - postAsJSON, err := json.Marshal(postReq) - if err != nil { - providerLog(logger.LevelWarn, "error serializing post login request: %v", err) - return - } startTime := time.Now() respCode := 0 httpClient := httpclient.GetHTTPClient() - resp, err := httpClient.Post(url.String(), "application/json", bytes.NewBuffer(postAsJSON)) + resp, err := httpClient.Post(url.String(), "application/json", bytes.NewBuffer(userAsJSON)) if err == nil { respCode = resp.StatusCode resp.Body.Close() @@ -2021,7 +2023,7 @@ func ExecutePostLoginHook(username, loginMethod, ip, protocol string, err error) defer cancel() cmd := exec.CommandContext(ctx, config.PostLoginHook) cmd.Env = append(os.Environ(), - fmt.Sprintf("SFTPGO_LOGIND_USER=%v", username), + fmt.Sprintf("SFTPGO_LOGIND_USER=%v", string(userAsJSON)), fmt.Sprintf("SFTPGO_LOGIND_IP=%v", ip), fmt.Sprintf("SFTPGO_LOGIND_METHOD=%v", loginMethod), fmt.Sprintf("SFTPGO_LOGIND_STATUS=%v", status), @@ -2029,7 +2031,7 @@ func ExecutePostLoginHook(username, loginMethod, ip, protocol string, err error) startTime := time.Now() err = cmd.Run() providerLog(logger.LevelDebug, "post login hook executed, elapsed %v err: %v", time.Since(startTime), err) - }(username, loginMethod, ip, protocol, err) + }() } func getExternalAuthResponse(username, password, pkey, keyboardInteractive, ip, protocol string) ([]byte, error) { @@ -2130,17 +2132,21 @@ func providerLog(level logger.LogLevel, format string, v ...interface{}) { logger.Log(level, logSender, "", format, v...) } -func executeNotificationCommand(operation string, user User) error { +func executeNotificationCommand(operation string, commandArgs []string, userAsJSON []byte) error { if !filepath.IsAbs(config.Actions.Hook) { err := fmt.Errorf("invalid notification command %#v", config.Actions.Hook) logger.Warn(logSender, "", "unable to execute notification command: %v", err) return err } + ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second) defer cancel() - commandArgs := user.getNotificationFieldsAsSlice(operation) + cmd := exec.CommandContext(ctx, config.Actions.Hook, commandArgs...) - cmd.Env = append(os.Environ(), user.getNotificationFieldsAsEnvVars(operation)...) + cmd.Env = append(os.Environ(), + fmt.Sprintf("SFTPGO_USER_ACTION=%v", operation), + fmt.Sprintf("SFTPGO_USER=%v", string(userAsJSON))) + startTime := time.Now() err := cmd.Run() providerLog(logger.LevelDebug, "executed command %#v with arguments: %+v, elapsed: %v, error: %v", @@ -2148,50 +2154,54 @@ func executeNotificationCommand(operation string, user User) error { return err } -// executed in a goroutine -func executeAction(operation string, user User) { +func executeAction(operation string, user *User) { if !utils.IsStringInSlice(operation, config.Actions.ExecuteOn) { return } - if len(config.Actions.Hook) == 0 { + if config.Actions.Hook == "" { return } - if operation != operationDelete { - var err error - user, err = provider.userExists(user.Username) - if err != nil { - providerLog(logger.LevelWarn, "unable to get the user to notify for operation %#v: %v", operation, err) - return + + go func() { + if operation != operationDelete { + var err error + u, err := provider.userExists(user.Username) + if err != nil { + providerLog(logger.LevelWarn, "unable to get the user to notify for operation %#v: %v", operation, err) + return + } + user = &u } - } - if strings.HasPrefix(config.Actions.Hook, "http") { - var url *url.URL - url, err := url.Parse(config.Actions.Hook) - if err != nil { - providerLog(logger.LevelWarn, "Invalid http_notification_url %#v for operation %#v: %v", config.Actions.Hook, operation, err) - return - } - q := url.Query() - q.Add("action", operation) - url.RawQuery = q.Encode() user.HideConfidentialData() userAsJSON, err := json.Marshal(user) if err != nil { + providerLog(logger.LevelWarn, "unable to serialize user as JSON for operation %#v: %v", operation, err) return } - startTime := time.Now() - httpClient := httpclient.GetHTTPClient() - resp, err := httpClient.Post(url.String(), "application/json", bytes.NewBuffer(userAsJSON)) - respCode := 0 - if err == nil { - respCode = resp.StatusCode - resp.Body.Close() + if strings.HasPrefix(config.Actions.Hook, "http") { + var url *url.URL + url, err := url.Parse(config.Actions.Hook) + if err != nil { + providerLog(logger.LevelWarn, "Invalid http_notification_url %#v for operation %#v: %v", config.Actions.Hook, operation, err) + return + } + q := url.Query() + q.Add("action", operation) + url.RawQuery = q.Encode() + startTime := time.Now() + httpClient := httpclient.GetHTTPClient() + resp, err := httpClient.Post(url.String(), "application/json", bytes.NewBuffer(userAsJSON)) + respCode := 0 + if err == nil { + respCode = resp.StatusCode + resp.Body.Close() + } + providerLog(logger.LevelDebug, "notified operation %#v to URL: %v status code: %v, elapsed: %v err: %v", + operation, url.String(), respCode, time.Since(startTime), err) + } else { + executeNotificationCommand(operation, user.getNotificationFieldsAsSlice(operation), userAsJSON) //nolint:errcheck // the error is used in test cases only } - providerLog(logger.LevelDebug, "notified operation %#v to URL: %v status code: %v, elapsed: %v err: %v", - operation, url.String(), respCode, time.Since(startTime), err) - } else { - executeNotificationCommand(operation, user) //nolint:errcheck // the error is used in test cases only - } + }() } // after migrating database to v4 we have to update the quota for the imported folders diff --git a/dataprovider/user.go b/dataprovider/user.go index d4fbf9b1..16bb2890 100644 --- a/dataprovider/user.go +++ b/dataprovider/user.go @@ -955,24 +955,6 @@ func (u *User) getNotificationFieldsAsSlice(action string) []string { } } -func (u *User) getNotificationFieldsAsEnvVars(action string) []string { - return []string{fmt.Sprintf("SFTPGO_USER_ACTION=%v", action), - fmt.Sprintf("SFTPGO_USER_USERNAME=%v", u.Username), - fmt.Sprintf("SFTPGO_USER_PASSWORD=%v", u.Password), - fmt.Sprintf("SFTPGO_USER_ID=%v", u.ID), - fmt.Sprintf("SFTPGO_USER_STATUS=%v", u.Status), - fmt.Sprintf("SFTPGO_USER_EXPIRATION_DATE=%v", u.ExpirationDate), - fmt.Sprintf("SFTPGO_USER_HOME_DIR=%v", u.HomeDir), - fmt.Sprintf("SFTPGO_USER_UID=%v", u.UID), - fmt.Sprintf("SFTPGO_USER_GID=%v", u.GID), - fmt.Sprintf("SFTPGO_USER_QUOTA_FILES=%v", u.QuotaFiles), - fmt.Sprintf("SFTPGO_USER_QUOTA_SIZE=%v", u.QuotaSize), - fmt.Sprintf("SFTPGO_USER_UPLOAD_BANDWIDTH=%v", u.UploadBandwidth), - fmt.Sprintf("SFTPGO_USER_DOWNLOAD_BANDWIDTH=%v", u.DownloadBandwidth), - fmt.Sprintf("SFTPGO_USER_MAX_SESSIONS=%v", u.MaxSessions), - fmt.Sprintf("SFTPGO_USER_FS_PROVIDER=%v", u.FsConfig.Provider)} -} - func (u *User) getGCSCredentialsFilePath() string { return filepath.Join(credentialsDirPath, fmt.Sprintf("%v_gcs_credentials.json", u.Username)) } diff --git a/docs/custom-actions.md b/docs/custom-actions.md index c8ea7a0a..b0e0dbcd 100644 --- a/docs/custom-actions.md +++ b/docs/custom-actions.md @@ -66,20 +66,7 @@ If the `hook` defines a path to an external program, then this program is invoke The external program can also read the following environment variables: - `SFTPGO_USER_ACTION` -- `SFTPGO_USER_USERNAME` -- `SFTPGO_USER_PASSWORD`, hashed password as stored inside the data provider, can be empty if the user does not login using a password -- `SFTPGO_USER_ID` -- `SFTPGO_USER_STATUS` -- `SFTPGO_USER_EXPIRATION_DATE` -- `SFTPGO_USER_HOME_DIR` -- `SFTPGO_USER_UID` -- `SFTPGO_USER_GID` -- `SFTPGO_USER_QUOTA_FILES` -- `SFTPGO_USER_QUOTA_SIZE` -- `SFTPGO_USER_UPLOAD_BANDWIDTH` -- `SFTPGO_USER_DOWNLOAD_BANDWIDTH` -- `SFTPGO_USER_MAX_SESSIONS` -- `SFTPGO_USER_FS_PROVIDER` +- `SFTPGO_USER`, user serialized as JSON with sensitive fields removed Previous global environment variables aren't cleared when the script is called. The program must finish within 15 seconds. diff --git a/docs/post-login-hook.md b/docs/post-login-hook.md index d8b47abb..1572b39c 100644 --- a/docs/post-login-hook.md +++ b/docs/post-login-hook.md @@ -2,15 +2,13 @@ This hook is executed after a login or after closing a connection for authentication timeout. Defining an appropriate `post_login_scope` you can get notifications for failed logins, successful logins or both. -Combining this hook with the [Post-connect hook](./post-connect-hook.md) you can implement your own (even for Protocol) blacklist/whitelist of IP addresses. - -Please keep in mind that you can easily configure specialized program such as [Fail2ban](http://www.fail2ban.org/) for brute force protection. Executing a hook after each login can be heavy. +Please keep in mind that executing a hook after each login can be heavy. The `post-login-hook` can be defined as the absolute path of your program or an HTTP URL. If the hook defines an external program it can reads the following environment variables: -- `SFTPGO_LOGIND_USER`, username, can be empty if the connection is closed for authentication timeout +- `SFTPGO_LOGIND_USER`, it contains the user serialized as JSON. The username is empty if the connection is closed for authentication timeout - `SFTPGO_LOGIND_IP` - `SFTPGO_LOGIND_METHOD`, possible values are `publickey`, `password`, `keyboard-interactive`, `publickey+password`, `publickey+keyboard-interactive` or `no_auth_tryed` - `SFTPGO_LOGIND_STATUS`, 1 means login OK, 0 login KO @@ -19,18 +17,13 @@ If the hook defines an external program it can reads the following environment v Previous global environment variables aren't cleared when the script is called. The program must finish within 20 seconds. -If the hook is an HTTP URL then it will be invoked as HTTP POST. The request body will contain a JSON serialized struct with the following fields: - -- `username` -- `login_method` -- `ip` -- `protocol` -- `status` +If the hook is an HTTP URL then it will be invoked as HTTP POST. The login method, the used protocol, the ip address and the status of the user are added to the query string, for example `?login_method=password&ip=1.2.3.4&protocol=SSH&status=1`. +The request body will contain the user serialized as JSON. The HTTP request will use the global configuration for HTTP clients. The `post_login_scope` supports the following configuration values: - `0` means notify both failed and successful logins -- `1` means notify failed logins. Connections closed for authentication timeout are notified as failed connections. You will get an empty username in this case +- `1` means notify failed logins. Connections closed for authentication timeout are notified as failed logins. You will get an empty username in this case - `2` means notify successful logins diff --git a/ftpd/server.go b/ftpd/server.go index 39ec0765..bfa93e55 100644 --- a/ftpd/server.go +++ b/ftpd/server.go @@ -137,13 +137,14 @@ func (s *Server) AuthUser(cc ftpserver.ClientContext, username, password string) ipAddr := utils.GetIPFromRemoteAddress(cc.RemoteAddr().String()) user, err := dataprovider.CheckUserAndPass(username, password, ipAddr, common.ProtocolFTP) if err != nil { - updateLoginMetrics(username, ipAddr, err) + user.Username = username + updateLoginMetrics(&user, ipAddr, err) return nil, err } connection, err := s.validateUser(user, cc) - defer updateLoginMetrics(username, ipAddr, err) + defer updateLoginMetrics(&user, ipAddr, err) if err != nil { return nil, err @@ -247,10 +248,10 @@ func (s *Server) validateUser(user dataprovider.User, cc ftpserver.ClientContext return connection, nil } -func updateLoginMetrics(username, ip string, err error) { +func updateLoginMetrics(user *dataprovider.User, ip string, err error) { metrics.AddLoginAttempt(dataprovider.LoginMethodPassword) if err != nil { - logger.ConnectionFailedLog(username, ip, dataprovider.LoginMethodPassword, + logger.ConnectionFailedLog(user.Username, ip, dataprovider.LoginMethodPassword, common.ProtocolFTP, err.Error()) event := common.HostEventLoginFailed if _, ok := err.(*dataprovider.RecordNotFoundError); ok { @@ -259,5 +260,5 @@ func updateLoginMetrics(username, ip string, err error) { common.AddDefenderEvent(ip, event) } metrics.AddLoginResult(dataprovider.LoginMethodPassword, err) - dataprovider.ExecutePostLoginHook(username, dataprovider.LoginMethodPassword, ip, common.ProtocolFTP, err) + dataprovider.ExecutePostLoginHook(user, dataprovider.LoginMethodPassword, ip, common.ProtocolFTP, err) } diff --git a/sftpd/server.go b/sftpd/server.go index 38b7d5aa..df70a03b 100644 --- a/sftpd/server.go +++ b/sftpd/server.go @@ -534,7 +534,7 @@ func checkAuthError(ip string, err error) { logger.ConnectionFailedLog("", ip, dataprovider.LoginMethodNoAuthTryed, common.ProtocolSSH, err.Error()) metrics.AddNoAuthTryed() common.AddDefenderEvent(ip, common.HostEventNoLoginTried) - dataprovider.ExecutePostLoginHook("", dataprovider.LoginMethodNoAuthTryed, ip, common.ProtocolSSH, err) + dataprovider.ExecutePostLoginHook(&dataprovider.User{}, dataprovider.LoginMethodNoAuthTryed, ip, common.ProtocolSSH, err) } } @@ -791,16 +791,19 @@ func (c *Configuration) validatePublicKeyCredentials(conn ssh.ConnMetadata, pubK if ok { if cert.CertType != ssh.UserCert { err = fmt.Errorf("ssh: cert has type %d", cert.CertType) - updateLoginMetrics(conn, ipAddr, method, err) + user.Username = conn.User() + updateLoginMetrics(&user, ipAddr, method, err) return nil, err } if !c.certChecker.IsUserAuthority(cert.SignatureKey) { err = fmt.Errorf("ssh: certificate signed by unrecognized authority") - updateLoginMetrics(conn, ipAddr, method, err) + user.Username = conn.User() + updateLoginMetrics(&user, ipAddr, method, err) return nil, err } if err := c.certChecker.CheckCert(conn.User(), cert); err != nil { - updateLoginMetrics(conn, ipAddr, method, err) + user.Username = conn.User() + updateLoginMetrics(&user, ipAddr, method, err) return nil, err } certPerm = &cert.Permissions @@ -822,7 +825,8 @@ func (c *Configuration) validatePublicKeyCredentials(conn ssh.ConnMetadata, pubK } } } - updateLoginMetrics(conn, ipAddr, method, err) + user.Username = conn.User() + updateLoginMetrics(&user, ipAddr, method, err) return sshPerm, err } @@ -839,7 +843,8 @@ func (c *Configuration) validatePasswordCredentials(conn ssh.ConnMetadata, pass if user, err = dataprovider.CheckUserAndPass(conn.User(), string(pass), ipAddr, common.ProtocolSSH); err == nil { sshPerm, err = loginUser(user, method, "", conn) } - updateLoginMetrics(conn, ipAddr, method, err) + user.Username = conn.User() + updateLoginMetrics(&user, ipAddr, method, err) return sshPerm, err } @@ -857,14 +862,15 @@ func (c *Configuration) validateKeyboardInteractiveCredentials(conn ssh.ConnMeta ipAddr, common.ProtocolSSH); err == nil { sshPerm, err = loginUser(user, method, "", conn) } - updateLoginMetrics(conn, ipAddr, method, err) + user.Username = conn.User() + updateLoginMetrics(&user, ipAddr, method, err) return sshPerm, err } -func updateLoginMetrics(conn ssh.ConnMetadata, ip, method string, err error) { +func updateLoginMetrics(user *dataprovider.User, ip, method string, err error) { metrics.AddLoginAttempt(method) if err != nil { - logger.ConnectionFailedLog(conn.User(), ip, method, common.ProtocolSSH, err.Error()) + logger.ConnectionFailedLog(user.Username, ip, method, common.ProtocolSSH, err.Error()) if method != dataprovider.SSHLoginMethodPublicKey { // some clients try all available public keys for a user, we // record failed login key auth only once for session if the @@ -877,5 +883,5 @@ func updateLoginMetrics(conn ssh.ConnMetadata, ip, method string, err error) { } } metrics.AddLoginResult(method, err) - dataprovider.ExecutePostLoginHook(conn.User(), method, ip, common.ProtocolSSH, err) + dataprovider.ExecutePostLoginHook(user, method, ip, common.ProtocolSSH, err) } diff --git a/webdavd/internal_test.go b/webdavd/internal_test.go index ae376021..ce05bbba 100644 --- a/webdavd/internal_test.go +++ b/webdavd/internal_test.go @@ -379,7 +379,7 @@ func TestOrderDirsToRemove(t *testing.T) { } func TestUserInvalidParams(t *testing.T) { - u := dataprovider.User{ + u := &dataprovider.User{ Username: "username", HomeDir: "invalid", } diff --git a/webdavd/server.go b/webdavd/server.go index b2422900..bc9559a3 100644 --- a/webdavd/server.go +++ b/webdavd/server.go @@ -154,21 +154,21 @@ func (s *webDavServer) ServeHTTP(w http.ResponseWriter, r *http.Request) { return } - connectionID, err := s.validateUser(user, r) + connectionID, err := s.validateUser(&user, r) if err != nil { - updateLoginMetrics(user.Username, ipAddr, err) + updateLoginMetrics(&user, ipAddr, err) http.Error(w, err.Error(), http.StatusForbidden) return } fs, err := user.GetFilesystem(connectionID) if err != nil { - updateLoginMetrics(user.Username, ipAddr, err) + updateLoginMetrics(&user, ipAddr, err) http.Error(w, err.Error(), http.StatusInternalServerError) return } - updateLoginMetrics(user.Username, ipAddr, err) + updateLoginMetrics(&user, ipAddr, err) ctx := context.WithValue(r.Context(), requestIDKey, connectionID) ctx = context.WithValue(ctx, requestStartKey, time.Now()) @@ -210,13 +210,14 @@ func (s *webDavServer) authenticate(r *http.Request, ip string) (dataprovider.Us if password != "" && cachedUser.Password == password { return cachedUser.User, true, cachedUser.LockSystem, nil } - updateLoginMetrics(username, ip, dataprovider.ErrInvalidCredentials) + updateLoginMetrics(&cachedUser.User, ip, dataprovider.ErrInvalidCredentials) return user, false, nil, dataprovider.ErrInvalidCredentials } } user, err = dataprovider.CheckUserAndPass(username, password, ip, common.ProtocolWebDAV) if err != nil { - updateLoginMetrics(username, ip, err) + user.Username = username + updateLoginMetrics(&user, ip, err) return user, false, nil, err } lockSystem := webdav.NewMemLS() @@ -242,7 +243,7 @@ func (s *webDavServer) authenticate(r *http.Request, ip string) (dataprovider.Us return user, false, lockSystem, nil } -func (s *webDavServer) validateUser(user dataprovider.User, r *http.Request) (string, error) { +func (s *webDavServer) validateUser(user *dataprovider.User, r *http.Request) (string, error) { connID := xid.New().String() connectionID := fmt.Sprintf("%v_%v", common.ProtocolWebDAV, connID) @@ -332,10 +333,10 @@ func checkRemoteAddress(r *http.Request) { } } -func updateLoginMetrics(username, ip string, err error) { +func updateLoginMetrics(user *dataprovider.User, ip string, err error) { metrics.AddLoginAttempt(dataprovider.LoginMethodPassword) if err != nil { - logger.ConnectionFailedLog(username, ip, dataprovider.LoginMethodPassword, common.ProtocolWebDAV, err.Error()) + logger.ConnectionFailedLog(user.Username, ip, dataprovider.LoginMethodPassword, common.ProtocolWebDAV, err.Error()) event := common.HostEventLoginFailed if _, ok := err.(*dataprovider.RecordNotFoundError); ok { event = common.HostEventUserNotFound @@ -343,5 +344,5 @@ func updateLoginMetrics(username, ip string, err error) { common.AddDefenderEvent(ip, event) } metrics.AddLoginResult(dataprovider.LoginMethodPassword, err) - dataprovider.ExecutePostLoginHook(username, dataprovider.LoginMethodPassword, ip, common.ProtocolWebDAV, err) + dataprovider.ExecutePostLoginHook(user, dataprovider.LoginMethodPassword, ip, common.ProtocolWebDAV, err) }