diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 05f32a04..a40b9dc4 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -35,10 +35,6 @@ RUN apk add --update --no-cache ca-certificates tzdata mailcap RUN if [ "${INSTALL_OPTIONAL_PACKAGES}" = "true" ]; then apk add --update --no-cache jq git rsync; fi -# set up nsswitch.conf for Go's "netgo" implementation -# https://github.com/gliderlabs/docker-alpine/issues/367#issuecomment-424546457 -RUN test ! -e /etc/nsswitch.conf && echo 'hosts: files dns' > /etc/nsswitch.conf - RUN mkdir -p /etc/sftpgo /var/lib/sftpgo /usr/share/sftpgo /srv/sftpgo/data /srv/sftpgo/backups RUN addgroup -g 1000 -S sftpgo && \ diff --git a/README.md b/README.md index 2d3bfa82..fbd92a4c 100644 --- a/README.md +++ b/README.md @@ -64,6 +64,7 @@ If you report an invalid issue or ask for step-by-step support, your issue will - Per-user authentication methods. - [Two-factor authentication](./docs/howto/two-factor-authentication.md) based on time-based one time passwords (RFC 6238) which works with Authy, Google Authenticator and other compatible apps. - Simplified user administrations using [groups](./docs/groups.md). +- [Roles](./docs/roles.md) allow you to create limited administrators who can only create and manage users with their role. - Custom authentication via [external programs/HTTP API](./docs/external-auth.md). - Web Client and Web Admin user interfaces support [OpenID Connect](https://openid.net/connect/) authentication and so they can be integrated with identity providers such as [Keycloak](https://www.keycloak.org/). You can find more details [here](./docs/oidc.md). - [Data At Rest Encryption](./docs/dare.md). @@ -134,7 +135,7 @@ APT and YUM repositories are [available](./docs/repo.md). SFTPGo is also available on some marketplaces: - [AWS Marketplace](https://aws.amazon.com/marketplace/seller-profile?id=6e849ab8-70a6-47de-9a43-13c3fa849335) -- [Azure Marketplace](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/prasselsrl1645470739547.sftpgo_linux) +- [Azure Marketplace](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/eliamarzia1667381463185.sftpgo_linux) - [Elest.io](https://elest.io/open-source/sftpgo) Purchasing from there will help keep SFTPGo a long-term sustainable project. diff --git a/README.zh_CN.md b/README.zh_CN.md index 1817cf7c..9c209b22 100644 --- a/README.zh_CN.md +++ b/README.zh_CN.md @@ -125,7 +125,7 @@ SFTPGo 基于 Linux 开发和创建。在每一次提交之后,代码会自动 -SFTPGo 在 [AWS Marketplace](https://aws.amazon.com/marketplace/seller-profile?id=6e849ab8-70a6-47de-9a43-13c3fa849335) 和 [Azure Marketplace](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/prasselsrl1645470739547.sftpgo_linux) 同样可用,在此付费可以帮助 SFTPGo 成为一个可持续发展的长期项目。 +SFTPGo 在 [AWS Marketplace](https://aws.amazon.com/marketplace/seller-profile?id=6e849ab8-70a6-47de-9a43-13c3fa849335) 和 [Azure Marketplace](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/eliamarzia1667381463185.sftpgo_linux) 同样可用,在此付费可以帮助 SFTPGo 成为一个可持续发展的长期项目。
Windows 包 diff --git a/docker/README.md b/docker/README.md index de24d02a..08222e24 100644 --- a/docker/README.md +++ b/docker/README.md @@ -4,12 +4,12 @@ SFTPGo provides an official Docker image, it is available on both [Docker Hub](h ## Supported tags and respective Dockerfile links -- [v2.4.0, v2.4, v2, latest](https://github.com/drakkan/sftpgo/blob/v2.4.0/Dockerfile) -- [v2.4.0-plugins, v2.4-plugins, v2-plugins, plugins](https://github.com/drakkan/sftpgo/blob/v2.4.0/Dockerfile) -- [v2.4.0-alpine, v2.4-alpine, v2-alpine, alpine](https://github.com/drakkan/sftpgo/blob/v2.4.0/Dockerfile.alpine) -- [v2.4.0-slim, v2.4-slim, v2-slim, slim](https://github.com/drakkan/sftpgo/blob/v2.4.0/Dockerfile) -- [v2.4.0-alpine-slim, v2.4-alpine-slim, v2-alpine-slim, alpine-slim](https://github.com/drakkan/sftpgo/blob/v2.4.0/Dockerfile.alpine) -- [v2.4.0-distroless-slim, v2.4-distroless-slim, v2-distroless-slim, distroless-slim](https://github.com/drakkan/sftpgo/blob/v2.4.0/Dockerfile.distroless) +- [v2.4.1, v2.4, v2, latest](https://github.com/drakkan/sftpgo/blob/v2.4.1/Dockerfile) +- [v2.4.1-plugins, v2.4-plugins, v2-plugins, plugins](https://github.com/drakkan/sftpgo/blob/v2.4.1/Dockerfile) +- [v2.4.1-alpine, v2.4-alpine, v2-alpine, alpine](https://github.com/drakkan/sftpgo/blob/v2.4.1/Dockerfile.alpine) +- [v2.4.1-slim, v2.4-slim, v2-slim, slim](https://github.com/drakkan/sftpgo/blob/v2.4.1/Dockerfile) +- [v2.4.1-alpine-slim, v2.4-alpine-slim, v2-alpine-slim, alpine-slim](https://github.com/drakkan/sftpgo/blob/v2.4.1/Dockerfile.alpine) +- [v2.4.1-distroless-slim, v2.4-distroless-slim, v2-distroless-slim, distroless-slim](https://github.com/drakkan/sftpgo/blob/v2.4.1/Dockerfile.distroless) - [edge](../Dockerfile) - [edge-plugins](../Dockerfile) - [edge-alpine](../Dockerfile.alpine) diff --git a/docs/full-configuration.md b/docs/full-configuration.md index 9b167a10..645d8012 100644 --- a/docs/full-configuration.md +++ b/docs/full-configuration.md @@ -65,7 +65,7 @@ The configuration file contains the following sections: - `hook`, string. Absolute path to the command to execute or HTTP URL to notify. - `setstat_mode`, integer. 0 means "normal mode": requests for changing permissions, owner/group and access/modification times are executed. 1 means "ignore mode": requests for changing permissions, owner/group and access/modification times are silently ignored. 2 means "ignore mode if not supported": requests for changing permissions and owner/group are silently ignored for cloud filesystems and executed for local/SFTP filesystem. Requests for changing modification times are always executed for local/SFTP filesystems and are executed for cloud based filesystems if the target is a file and there is a metadata plugin available. A metadata plugin can be found [here](https://github.com/sftpgo/sftpgo-plugin-metadata). - `temp_path`, string. Defines the path for temporary files such as those used for atomic uploads or file pipes. If you set this option you must make sure that the defined path exists, is accessible for writing by the user running SFTPGo, and is on the same filesystem as the users home directories otherwise the renaming for atomic uploads will become a copy and therefore may take a long time. The temporary files are not namespaced. The default is generally fine. Leave empty for the default. - - `proxy_protocol`, integer. Support for [HAProxy PROXY protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt). If you are running SFTPGo behind a proxy server such as HAProxy, AWS ELB or NGINX, you can enable the proxy protocol. It provides a convenient way to safely transport connection information such as a client's address across multiple layers of NAT or TCP proxies to get the real client IP address instead of the proxy IP. Both protocol versions 1 and 2 are supported. If the proxy protocol is enabled in SFTPGo then you have to enable the protocol in your proxy configuration too. For example, for HAProxy, add `send-proxy` or `send-proxy-v2` to each server configuration line. The following modes are supported: + - `proxy_protocol`, integer. Support for [HAProxy PROXY protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt). If you are running SFTPGo behind a proxy server such as HAProxy, AWS ELB or NGINX, you can enable the proxy protocol. It provides a convenient way to safely transport connection information such as a client's address across multiple layers of NAT or TCP proxies to get the real client IP address instead of the proxy IP. Both protocol versions 1 and 2 are supported. If the proxy protocol is enabled in SFTPGo then you have to enable the protocol in your proxy configuration too. For example, for HAProxy, add `send-proxy` or `send-proxy-v2` to each server configuration line. The PROXY protocol is supported for SSH/SFTP and FTP/S. The following modes are supported: - 0, disabled - 1, enabled. If the upstream IP is not allowed to send a proxy header the header be ignored. Using this mode does not mean that we can accept connections with and without the proxy header. We always try to read the proxy header and we ignore it if the upstream IP is not allowed to send a proxy header - 2, required. If the upstream IP is not allowed to send a proxy header the connection will be rejected diff --git a/docs/roles.md b/docs/roles.md new file mode 100644 index 00000000..c36c2afb --- /dev/null +++ b/docs/roles.md @@ -0,0 +1,13 @@ +# Roles + +Roles can be assigned to users and administrators. Admins with a role are limited administrators, they can only view and manage users with their own role and they cannot have the following permissions: + +- manage_admins +- manage_system +- manage_event_rules +- manage_roles +- view_events + +Users created by role administrators automatically inherit their role. + +Admins without a role are global administrators and can manage all users (with and without a role) and assign a specific role to users. diff --git a/examples/convertusers/README.md b/examples/convertusers/README.md index 2cfb7dae..565e2c2f 100644 --- a/examples/convertusers/README.md +++ b/examples/convertusers/README.md @@ -47,3 +47,5 @@ python convertusers proftpd.passwd proftpd pro_users.json The generated json file can be used as input for the `loaddata` REST API. Please note that when importing Linux/Unix users the input file is not required: `/etc/passwd` and `/etc/shadow` are automatically parsed. `/etc/shadow` read permission is typically granted to the `root` user only, so you need to execute `convertusers` as `root`. + +:warning: SFTPGo does not currently support `yescrypt` hashed passwords. diff --git a/go.mod b/go.mod index bc4e54f3..8ac46c37 100644 --- a/go.mod +++ b/go.mod @@ -3,21 +3,21 @@ module github.com/drakkan/sftpgo/v2 go 1.19 require ( - cloud.google.com/go/storage v1.27.0 + cloud.google.com/go/storage v1.28.0 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0 github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.5.1 github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962 github.com/alexedwards/argon2id v0.0.0-20211130144151-3585854a6387 github.com/aws/aws-sdk-go-v2 v1.17.1 - github.com/aws/aws-sdk-go-v2/config v1.17.10 - github.com/aws/aws-sdk-go-v2/credentials v1.12.23 + github.com/aws/aws-sdk-go-v2/config v1.18.0 + github.com/aws/aws-sdk-go-v2/credentials v1.13.0 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19 - github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.37 - github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.13.21 - github.com/aws/aws-sdk-go-v2/service/s3 v1.29.1 - github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.4 - github.com/aws/aws-sdk-go-v2/service/sts v1.17.1 - github.com/cockroachdb/cockroach-go/v2 v2.2.16 + github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.39 + github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.13.22 + github.com/aws/aws-sdk-go-v2/service/s3 v1.29.2 + github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.5 + github.com/aws/aws-sdk-go-v2/service/sts v1.17.2 + github.com/cockroachdb/cockroach-go/v2 v2.2.18 github.com/coreos/go-oidc/v3 v3.4.0 github.com/drakkan/webdav v0.0.0-20221101181759-17ed21f9337b github.com/eikenb/pipeat v0.0.0-20210730190139-06b3e6902001 @@ -25,62 +25,62 @@ require ( github.com/fclairamb/go-log v0.4.1 github.com/go-acme/lego/v4 v4.9.0 github.com/go-chi/chi/v5 v5.0.8-0.20221018120124-e5529d9db4d3 - github.com/go-chi/jwtauth/v5 v5.0.2 + github.com/go-chi/jwtauth/v5 v5.1.0 github.com/go-chi/render v1.0.2 github.com/go-sql-driver/mysql v1.6.0 github.com/golang/mock v1.6.0 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 github.com/google/uuid v1.3.0 github.com/hashicorp/go-hclog v1.3.1 - github.com/hashicorp/go-plugin v1.4.5 + github.com/hashicorp/go-plugin v1.4.6 github.com/hashicorp/go-retryablehttp v0.7.1 - github.com/jackc/pgx/v5 v5.0.4 + github.com/jackc/pgx/v5 v5.1.0 github.com/jlaffaye/ftp v0.0.0-20201112195030-9aae4d151126 github.com/klauspost/compress v1.15.12 - github.com/lestrrat-go/jwx v1.2.25 + github.com/lestrrat-go/jwx/v2 v2.0.7 github.com/lithammer/shortuuid/v3 v3.0.7 github.com/mattn/go-sqlite3 v1.14.16 github.com/mhale/smtpd v0.8.0 github.com/minio/sio v0.3.0 - github.com/otiai10/copy v1.7.0 + github.com/otiai10/copy v1.9.0 github.com/pires/go-proxyproto v0.6.2 github.com/pkg/sftp v1.13.6-0.20221020054726-e4133ab7e9bd github.com/pquerna/otp v1.3.0 - github.com/prometheus/client_golang v1.13.1 + github.com/prometheus/client_golang v1.14.0 github.com/robfig/cron/v3 v3.0.1 github.com/rs/cors v1.8.3-0.20220619195839-da52b0701de5 github.com/rs/xid v1.4.0 github.com/rs/zerolog v1.28.0 - github.com/sftpgo/sdk v0.1.3-0.20221105153737-bae9afc6b356 + github.com/sftpgo/sdk v0.1.3-0.20221116180328-3fc64e926700 github.com/shirou/gopsutil/v3 v3.22.10 - github.com/spf13/afero v1.9.2 + github.com/spf13/afero v1.9.3 github.com/spf13/cobra v1.6.1 - github.com/spf13/viper v1.13.0 + github.com/spf13/viper v1.14.0 github.com/stretchr/testify v1.8.1 - github.com/studio-b12/gowebdav v0.0.0-20221102155456-200a600c0272 + github.com/studio-b12/gowebdav v0.0.0-20221109171924-60ec5ad56012 github.com/subosito/gotenv v1.4.1 github.com/unrolled/secure v1.13.0 github.com/wagslane/go-password-validator v0.3.0 - github.com/xhit/go-simple-mail/v2 v2.12.0 + github.com/xhit/go-simple-mail/v2 v2.13.0 github.com/yl2chen/cidranger v1.0.3-0.20210928021809-d1cb2c52f37a go.etcd.io/bbolt v1.3.6 go.uber.org/automaxprocs v1.5.1 gocloud.dev v0.27.0 - golang.org/x/crypto v0.1.0 - golang.org/x/net v0.1.0 - golang.org/x/oauth2 v0.1.0 - golang.org/x/sys v0.1.0 - golang.org/x/time v0.1.0 - google.golang.org/api v0.102.0 + golang.org/x/crypto v0.2.0 + golang.org/x/net v0.2.0 + golang.org/x/oauth2 v0.2.0 + golang.org/x/sys v0.2.0 + golang.org/x/time v0.2.0 + google.golang.org/api v0.103.0 gopkg.in/natefinch/lumberjack.v2 v2.0.0 ) require ( - cloud.google.com/go v0.105.0 // indirect + cloud.google.com/go v0.107.0 // indirect cloud.google.com/go/compute v1.12.1 // indirect cloud.google.com/go/compute/metadata v0.2.1 // indirect cloud.google.com/go/iam v0.7.0 // indirect - github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.1 // indirect + github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.1 // indirect github.com/ajg/form v1.5.1 // indirect github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.9 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 // indirect @@ -98,7 +98,7 @@ require ( github.com/boombuler/barcode v1.0.1 // indirect github.com/cenkalti/backoff/v4 v4.1.3 // indirect github.com/cespare/xxhash/v2 v2.1.2 // indirect - github.com/coreos/go-systemd/v22 v22.4.0 // indirect + github.com/coreos/go-systemd/v22 v22.5.0 // indirect github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/decred/dcrd/dcrec/secp256k1/v4 v4.1.0 // indirect @@ -119,11 +119,11 @@ require ( github.com/jackc/pgpassfile v1.0.0 // indirect github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b // indirect github.com/jmespath/go-jmespath v0.4.0 // indirect - github.com/klauspost/cpuid/v2 v2.1.2 // indirect + github.com/klauspost/cpuid/v2 v2.2.1 // indirect github.com/kr/fs v0.1.0 // indirect - github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect github.com/lestrrat-go/blackmagic v1.0.1 // indirect github.com/lestrrat-go/httpcc v1.0.1 // indirect + github.com/lestrrat-go/httprc v1.0.4 // indirect github.com/lestrrat-go/iter v1.0.2 // indirect github.com/lestrrat-go/option v1.0.0 // indirect github.com/lib/pq v1.10.7 // indirect @@ -139,7 +139,6 @@ require ( github.com/oklog/run v1.1.0 // indirect github.com/pelletier/go-toml v1.9.5 // indirect github.com/pelletier/go-toml/v2 v2.0.5 // indirect - github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/power-devops/perfstat v0.0.0-20220216144756-c35f1ee13d7c // indirect github.com/prometheus/client_model v0.3.0 // indirect @@ -149,17 +148,17 @@ require ( github.com/spf13/cast v1.5.0 // indirect github.com/spf13/jwalterweatherman v1.1.0 // indirect github.com/spf13/pflag v1.0.5 // indirect - github.com/tklauser/go-sysconf v0.3.10 // indirect - github.com/tklauser/numcpus v0.5.0 // indirect + github.com/tklauser/go-sysconf v0.3.11 // indirect + github.com/tklauser/numcpus v0.6.0 // indirect github.com/toorop/go-dkim v0.0.0-20201103131630-e1cd1a0a5208 // indirect github.com/yusufpapurcu/wmi v1.2.2 // indirect go.opencensus.io v0.24.0 // indirect - golang.org/x/mod v0.6.0 // indirect + golang.org/x/mod v0.7.0 // indirect golang.org/x/text v0.4.0 // indirect - golang.org/x/tools v0.2.0 // indirect + golang.org/x/tools v0.3.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c // indirect + google.golang.org/genproto v0.0.0-20221114212237-e4508ebdbee1 // indirect google.golang.org/grpc v1.50.1 // indirect google.golang.org/protobuf v1.28.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect diff --git a/go.sum b/go.sum index 3703b0f4..59a3c8e7 100644 --- a/go.sum +++ b/go.sum @@ -36,8 +36,8 @@ cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w9 cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc= cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU= cloud.google.com/go v0.103.0/go.mod h1:vwLx1nqLrzLX/fpwSMOXmFIqBOyHsvHbnAdbGSJ+mKk= -cloud.google.com/go v0.105.0 h1:DNtEKRBAAzeS4KyIory52wWHuClNaXJ5x1F7xa4q+5Y= -cloud.google.com/go v0.105.0/go.mod h1:PrLgOJNe5nfE9UMxKxgXj4mD3voiP+YQ6gdt6KMFOKM= +cloud.google.com/go v0.107.0 h1:qkj22L7bgkl6vIeZDlOY2po43Mx/TIa2Wsa7VR+PEww= +cloud.google.com/go v0.107.0/go.mod h1:wpc2eNrD7hXUTy8EKS10jkxpZBjASrORK7goS+3YX2I= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= @@ -63,8 +63,8 @@ cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp cloud.google.com/go/iam v0.7.0 h1:k4MuwOsS7zGJJ+QfZ5vBK8SgHBAvYN/23BWsiihJ1vs= cloud.google.com/go/iam v0.7.0/go.mod h1:H5Br8wRaDGNc8XP3keLc4unfUUZeyH3Sfl9XpQEYOeg= cloud.google.com/go/kms v1.4.0/go.mod h1:fajBHndQ+6ubNw6Ss2sSd+SWvjL26RNo/dr7uxsnnOA= -cloud.google.com/go/kms v1.5.0 h1:uc58n3b/n/F2yDMJzHMbXORkJSh3fzO4/+jju6eR7Zg= -cloud.google.com/go/longrunning v0.1.1 h1:y50CXG4j0+qvEukslYFBCrzaXX0qpFbBzc3PchSu/LE= +cloud.google.com/go/kms v1.6.0 h1:OWRZzrPmOZUzurjI2FBGtgY2mB1WaJkqhw6oIwSj0Yg= +cloud.google.com/go/longrunning v0.3.0 h1:NjljC+FYPV3uh5/OwWT6pVU+doBqMg2x/rZlE+CamDs= cloud.google.com/go/monitoring v1.1.0/go.mod h1:L81pzz7HKn14QCMaCs6NTQkdBnE87TElyanS95vIcl4= cloud.google.com/go/monitoring v1.5.0/go.mod h1:/o9y8NYX5j91JjD/JvGLYbi86kL11OjyJXq2XziLJu4= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= @@ -82,8 +82,8 @@ cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3f cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y= cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeLgDvXzfIXc= cloud.google.com/go/storage v1.24.0/go.mod h1:3xrJEFMXBsQLgxwThyjuD3aYlroL0TMRec1ypGUQ0KE= -cloud.google.com/go/storage v1.27.0 h1:YOO045NZI9RKfCj1c5A/ZtuuENUc8OAW+gHdGnDgyMQ= -cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s= +cloud.google.com/go/storage v1.28.0 h1:DLrIZ6xkeZX6K70fU/boWx5INJumt6f+nwwWSHXzzGY= +cloud.google.com/go/storage v1.28.0/go.mod h1:qlgZML35PXA3zoEnIkiPLY4/TOkUleufRlu6qmcf7sI= cloud.google.com/go/trace v1.0.0/go.mod h1:4iErSByzxkyHWzzlAj63/Gmjz0NH1ASqhJguHpGcr6A= cloud.google.com/go/trace v1.2.0/go.mod h1:Wc8y/uYyOhPy12KEnXG9XGrvfMz5F5SrYecQlbW1rwM= code.cloudfoundry.org/clock v0.0.0-20180518195852-02e53af36e6c/go.mod h1:QD9Lzhd/ux6eNQVUDVRJX/RKTigpewimNYBi7ivZKY8= @@ -108,8 +108,8 @@ github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.0.0/go.mod h1:+6sju8gk8FRmSa github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 h1:QkAcEIAKbNL4KoFr4SathZPhDhF4mVwpBMFlYjyAqy8= github.com/Azure/azure-sdk-for-go/sdk/internal v0.7.0/go.mod h1:yqy467j36fJxcRV2TzfVZ1pCb5vxm4BtZPUdYWe/Xo8= github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.1 h1:XUNQ4mw+zJmaA2KXzP9JlQiecy1SI+Eog7xVkPiqIbg= -github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.1/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.1 h1:Oj853U9kG+RLTCQXpjvOnrv0WaZHxgmZz1TlLywgOPY= +github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.1/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w= github.com/Azure/azure-sdk-for-go/sdk/messaging/azservicebus v1.0.2/go.mod h1:LH9XQnMr2ZYxQdVdCrzLO9mxeDyrDFa6wbSI3x5zCZk= github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.4.1/go.mod h1:eZ4g6GUvXiGulfIbbhh1Xr4XwUYaYaWMqzGD/284wCA= github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.5.1 h1:BMTdr+ib5ljLa9MxTJK8x/Ds0MbBb4MfuW5BL0zMJnI= @@ -233,17 +233,17 @@ github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.3/go.mod h1:gNsR5CaXK github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.9 h1:RKci2D7tMwpvGpDNZnGQw9wk6v7o/xSwFcUAuNPoB8k= github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.9/go.mod h1:vCmV1q1VK8eoQJ5+aYE7PkK1K6v41qJ5pJdK3ggCDvg= github.com/aws/aws-sdk-go-v2/config v1.15.15/go.mod h1:A1Lzyy/o21I5/s2FbyX5AevQfSVXpvvIDCoVFD0BC4E= -github.com/aws/aws-sdk-go-v2/config v1.17.10 h1:zBy5QQ/mkvHElM1rygHPAzuH+sl8nsdSaxSWj0+rpdE= -github.com/aws/aws-sdk-go-v2/config v1.17.10/go.mod h1:/4np+UiJJKpWHN7Q+LZvqXYgyjgeXm5+lLfDI6TPZao= +github.com/aws/aws-sdk-go-v2/config v1.18.0 h1:ULASZmfhKR/QE9UeZ7mzYjUzsnIydy/K1YMT6uH1KC0= +github.com/aws/aws-sdk-go-v2/config v1.18.0/go.mod h1:H13DRX9Nv5tAcQvPABrE3dm5XnLp1RC7fVSM3OWiLvA= github.com/aws/aws-sdk-go-v2/credentials v1.12.10/go.mod h1:g5eIM5XRs/OzIIK81QMBl+dAuDyoLN0VYaLP+tBqEOk= -github.com/aws/aws-sdk-go-v2/credentials v1.12.23 h1:LctvcJMIb8pxvk5hQhChpCu0WlU6oKQmcYb1HA4IZSA= -github.com/aws/aws-sdk-go-v2/credentials v1.12.23/go.mod h1:0awX9iRr/+UO7OwRQFpV1hNtXxOVuehpjVEzrIAYNcA= +github.com/aws/aws-sdk-go-v2/credentials v1.13.0 h1:W5f73j1qurASap+jdScUo4aGzSXxaC7wq1i7CiwhvU8= +github.com/aws/aws-sdk-go-v2/credentials v1.13.0/go.mod h1:prZpUfBu1KZLBLVX482Sq4DpDXGugAre08TPEc21GUg= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.9/go.mod h1:KDCCm4ONIdHtUloDcFvK2+vshZvx4Zmj7UMDfusuz5s= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19 h1:E3PXZSI3F2bzyj6XxUXdTIfvp425HHhwKsFvmzBwHgs= github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19/go.mod h1:VihW95zQpeKQWVPGkwT+2+WJNQV8UXFfMTWdU6VErL8= github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.21/go.mod h1:iIYPrQ2rYfZiB/iADYlhj9HHZ9TTi6PqKQPAqygohbE= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.37 h1:e1VtTBo+cLNjres0wTlMkmwCGGRjDEkkrz3frxxcaCs= -github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.37/go.mod h1:kdAV1UMnCkyG6tZJUC4mHbPoRjPA3dIK0L8mnsHERiM= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.39 h1:Fz/t08vTFdz63ZnlrQBLOMgBCNqdKmMQWE/XjKm1jt4= +github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.39/go.mod h1:763L1Xloj/mjT0do5k9d0qh0vEAVuomDPn1iOG2AdB4= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.15/go.mod h1:pWrr2OoHlT7M/Pd2y4HV3gJyPb3qj5qMmnPkKSNPYK4= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 h1:nBO/RFxeq/IS5G9Of+ZrgucRciie2qpLy++3UGZ+q2E= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25/go.mod h1:Zb29PYkf42vVYQY6pvSyJCJcFHlPIiY+YKdPtwnvMkY= @@ -269,14 +269,14 @@ github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.9/go.mod h1:Rc5+wn2 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.19 h1:piDBAaWkaxkkVV3xJJbTehXCZRXYs49kvpi/LG6LR2o= github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.19/go.mod h1:BmQWRVkLTmyNzYPFAZgon53qKLWBNSvonugD1MrSWUs= github.com/aws/aws-sdk-go-v2/service/kms v1.18.1/go.mod h1:4PZMUkc9rXHWGVB5J9vKaZy3D7Nai79ORworQ3ASMiM= -github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.13.21 h1:LpIut7TpOhp8RuTD72PBj8ksPy3+RelT3LPwGgQ8+Hg= -github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.13.21/go.mod h1:mRGY+k3s1yt7yQA3AfzJhnr68OCs1xDfQfIABFUk+ek= +github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.13.22 h1:abXVcIh8pjiuWdPBk8vZYwxO5yZCmRHR8grHf6ZqCdY= +github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.13.22/go.mod h1:mRGY+k3s1yt7yQA3AfzJhnr68OCs1xDfQfIABFUk+ek= github.com/aws/aws-sdk-go-v2/service/s3 v1.27.2/go.mod h1:u+566cosFI+d+motIz3USXEh6sN8Nq4GrNXSg2RXVMo= -github.com/aws/aws-sdk-go-v2/service/s3 v1.29.1 h1:/EMdFPW/Ppieh0WUtQf1+qCGNLdsq5UWUyevBQ6vMVc= -github.com/aws/aws-sdk-go-v2/service/s3 v1.29.1/go.mod h1:/NHbqPRiwxSPVOB2Xr+StDEH+GWV/64WwnUjv4KYzV0= +github.com/aws/aws-sdk-go-v2/service/s3 v1.29.2 h1:l29X5biLks99HzZzQgC78plJpwiMv/pGNhmaTM2z62A= +github.com/aws/aws-sdk-go-v2/service/s3 v1.29.2/go.mod h1:/NHbqPRiwxSPVOB2Xr+StDEH+GWV/64WwnUjv4KYzV0= github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.15.14/go.mod h1:xakbH8KMsQQKqzX87uyyzTHshc/0/Df8bsTneTS5pFU= -github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.4 h1:Hx79EGrkKNJya2iz2U5A7nyr7DjOu/TGTRefThfBZ1w= -github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.4/go.mod h1:k6CPuxyzO247nYEM1baEwHH1kRtosRCvgahAepaaShw= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.5 h1:De+sGzRmk6+/lzKqZXa6RdC1ZVGLPHI1nvjOxw4ooj0= +github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.5/go.mod h1:k6CPuxyzO247nYEM1baEwHH1kRtosRCvgahAepaaShw= github.com/aws/aws-sdk-go-v2/service/sns v1.17.10/go.mod h1:uITsRNVMeCB3MkWpXxXw0eDz8pW4TYLzj+eyQtbhSxM= github.com/aws/aws-sdk-go-v2/service/sqs v1.19.1/go.mod h1:A94o564Gj+Yn+7QO1eLFeI7UVv3riy/YBFOfICVqFvU= github.com/aws/aws-sdk-go-v2/service/ssm v1.27.6/go.mod h1:fiFzQgj4xNOg4/wqmAiPvzgDMXPD+cUEplX/CYn+0j0= @@ -286,8 +286,8 @@ github.com/aws/aws-sdk-go-v2/service/sso v1.11.25/go.mod h1:IARHuzTXmj1C0KS35vbo github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.8 h1:jcw6kKZrtNfBPJkaHrscDOZoe5gvi9wjudnxvozYFJo= github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.8/go.mod h1:er2JHN+kBY6FcMfcBBKNGCT3CarImmdFzishsqBmSRI= github.com/aws/aws-sdk-go-v2/service/sts v1.16.10/go.mod h1:cftkHYN6tCDNfkSasAmclSfl4l7cySoay8vz7p/ce0E= -github.com/aws/aws-sdk-go-v2/service/sts v1.17.1 h1:KRAix/KHvjGODaHAMXnxRk9t0D+4IJVUuS/uwXxngXk= -github.com/aws/aws-sdk-go-v2/service/sts v1.17.1/go.mod h1:bXcN3koeVYiJcdDU89n3kCYILob7Y34AeLopUbZgLT4= +github.com/aws/aws-sdk-go-v2/service/sts v1.17.2 h1:tpwEMRdMf2UsplengAOnmSIRdvAxf75oUFR+blBr92I= +github.com/aws/aws-sdk-go-v2/service/sts v1.17.2/go.mod h1:bXcN3koeVYiJcdDU89n3kCYILob7Y34AeLopUbZgLT4= github.com/aws/smithy-go v1.12.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/aws/smithy-go v1.13.4 h1:/RN2z1txIJWeXeOkzX+Hk/4Uuvv7dWtCjbmVJcrskyk= github.com/aws/smithy-go v1.13.4/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= @@ -358,8 +358,8 @@ github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWH github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cncf/xds/go v0.0.0-20220314180256-7f1daf1720fc/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ= -github.com/cockroachdb/cockroach-go/v2 v2.2.16 h1:t9dmZuC9J2W8IDQDSIGXmP+fBuEJSsrGXxWQz4cYqBY= -github.com/cockroachdb/cockroach-go/v2 v2.2.16/go.mod h1:xZ2VHjUEb/cySv0scXBx7YsBnHtLHkR1+w/w73b5i3M= +github.com/cockroachdb/cockroach-go/v2 v2.2.18 h1:bRNZWqzRSZesVYFjDAl1jgFb1jhIFIEreWIC2kPbcdY= +github.com/cockroachdb/cockroach-go/v2 v2.2.18/go.mod h1:mzlIDDBALQfEjv/7DU12fb2AfQ/MUYTlychcMpWp9QI= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo= github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA= @@ -480,8 +480,8 @@ github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+ github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk= github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/go-systemd/v22 v22.3.3-0.20220203105225-a9a7ef127534/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= -github.com/coreos/go-systemd/v22 v22.4.0 h1:y9YHcjnjynCd/DVbg5j9L/33jQM3MxJlbj/zWskzfGU= -github.com/coreos/go-systemd/v22 v22.4.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= +github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs= +github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA= github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= @@ -501,7 +501,6 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc= -github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d/go.mod h1:tmAIfUFEirG/Y8jhZ9M+h36obRZAk/1fcSpXwAVlfqE= github.com/decred/dcrd/dcrec/secp256k1/v4 v4.1.0 h1:HbphB4TFFXpv7MNrT52FGrrgVXF1owhMVTHFZIlnvd4= github.com/decred/dcrd/dcrec/secp256k1/v4 v4.1.0/go.mod h1:DZGJHZMqrU4JJqFAWUS2UO1+lbSKsdiOoYi9Zzey7Fc= github.com/denisenkom/go-mssqldb v0.12.2/go.mod h1:lnIw1mZukFRZDJYQ0Pb833QS2IaC3l5HkEfra2LJ+sk= @@ -608,11 +607,10 @@ github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwv github.com/gin-gonic/gin v1.7.7/go.mod h1:axIBovoeJpVj8S3BwE0uPMTeReE4+AfFtqpqaZ1qq1U= github.com/go-acme/lego/v4 v4.9.0 h1:8Hjj44IqRS7cigshMyFQ+0pIZvwgkG/+9A0UnNh7G8A= github.com/go-acme/lego/v4 v4.9.0/go.mod h1:g3JRUyWS3L/VObpp4bCxzJftKyf/Wba8QrSSnoiqjg4= -github.com/go-chi/chi/v5 v5.0.4/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= github.com/go-chi/chi/v5 v5.0.8-0.20221018120124-e5529d9db4d3 h1:qzwVVqrbdP93ZaSHy0yWQRYnig+t+j1OxnVtEs8SFuQ= github.com/go-chi/chi/v5 v5.0.8-0.20221018120124-e5529d9db4d3/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8= -github.com/go-chi/jwtauth/v5 v5.0.2 h1:CSKtr+b6Jnfy5T27sMaiBPxaVE/bjnjS3ramFQ0526w= -github.com/go-chi/jwtauth/v5 v5.0.2/go.mod h1:TeA7vmPe3uYThvHw8O8W13HOOpOd4MTgToxL41gZyjs= +github.com/go-chi/jwtauth/v5 v5.1.0 h1:wJyf2YZ/ohPvNJBwPOzZaQbyzwgMZZceE1m8FOzXLeA= +github.com/go-chi/jwtauth/v5 v5.1.0/go.mod h1:MA93hc1au3tAQwCKry+fI4LqJ5MIVN4XSsglOo+lSc8= github.com/go-chi/render v1.0.2 h1:4ER/udB0+fMWB2Jlf15RV3F4A2FDuYi/9f+lFttR/Lg= github.com/go-chi/render v1.0.2/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0= github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU= @@ -712,8 +710,6 @@ github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY9 github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee/go.mod h1:L0fX3K22YWvt/FAX9NnzrNzcI4wNYi9Yku4O0LKYflo= github.com/gobwas/pool v0.2.0/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw= github.com/gobwas/ws v1.0.2/go.mod h1:szmBTxLgaFppYjEmNtny/v3w89xOydFnnZMcgRRu/EM= -github.com/goccy/go-json v0.7.6/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= -github.com/goccy/go-json v0.9.7/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= github.com/goccy/go-json v0.9.11 h1:/pAaQDLHEoCq/5FFmSKBswWmK6H0e8g4159Kc/X/nqk= github.com/goccy/go-json v0.9.11/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I= github.com/goccy/go-yaml v1.9.5/go.mod h1:U/jl18uSupI5rdI2jmuCswEA2htH9eXfferR3KfscvA= @@ -923,8 +919,8 @@ github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1: github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA= github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= -github.com/hashicorp/go-plugin v1.4.5 h1:oTE/oQR4eghggRg8VY7PAz3dr++VwDNBGCcOfIvHpBo= -github.com/hashicorp/go-plugin v1.4.5/go.mod h1:viDMjcLJuDui6pXb8U4HVfb8AamCWhHGUjr2IrTF67s= +github.com/hashicorp/go-plugin v1.4.6 h1:MDV3UrKQBM3du3G7MApDGvOsMYy3JQJ4exhSoKBAeVA= +github.com/hashicorp/go-plugin v1.4.6/go.mod h1:viDMjcLJuDui6pXb8U4HVfb8AamCWhHGUjr2IrTF67s= github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs= github.com/hashicorp/go-retryablehttp v0.7.1 h1:sUiuQAnLlbvmExtFQs72iFW/HXeUn8Z1aJLQ4LJJbTQ= github.com/hashicorp/go-retryablehttp v0.7.1/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY= @@ -1013,8 +1009,8 @@ github.com/jackc/pgx/v4 v4.0.0-pre1.0.20190824185557-6972a5742186/go.mod h1:X+GQ github.com/jackc/pgx/v4 v4.12.1-0.20210724153913-640aa07df17c/go.mod h1:1QD0+tgSXP7iUjYm9C1NxKhny7lq6ee99u/z+IHFcgs= github.com/jackc/pgx/v4 v4.16.0/go.mod h1:N0A9sFdWzkw/Jy1lwoiB64F2+ugFZi987zRxcPez/wI= github.com/jackc/pgx/v4 v4.16.1/go.mod h1:SIhx0D5hoADaiXZVyv+3gSm3LCIIINTVO0PficsvWGQ= -github.com/jackc/pgx/v5 v5.0.4 h1:r5O6y84qHX/z/HZV40JBdx2obsHz7/uRj5b+CcYEdeY= -github.com/jackc/pgx/v5 v5.0.4/go.mod h1:U0ynklHtgg43fue9Ly30w3OCSTDPlXjig9ghrNGaguQ= +github.com/jackc/pgx/v5 v5.1.0 h1:Z7pLKUb65HK6m18No8GGKT87K34NhIIEHa86rRdjxbU= +github.com/jackc/pgx/v5 v5.1.0/go.mod h1:Ptn7zmohNsWEsdxRawMzk3gaKma2obW+NWTnKa0S4nk= github.com/jackc/puddle v0.0.0-20190413234325-e4ced69a3a2b/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk= @@ -1063,8 +1059,9 @@ github.com/klauspost/compress v1.15.1/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47e github.com/klauspost/compress v1.15.12 h1:YClS/PImqYbn+UILDnqxQCZ3RehC9N318SU3kElDUEM= github.com/klauspost/compress v1.15.12/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM= github.com/klauspost/cpuid/v2 v2.0.4/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= -github.com/klauspost/cpuid/v2 v2.1.2 h1:XhdX4fqAJUA0yj+kUwMavO0hHrSPAecYdYf1ZmxHvak= github.com/klauspost/cpuid/v2 v2.1.2/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY= +github.com/klauspost/cpuid/v2 v2.2.1 h1:U33DW0aiEj633gHYw3LoDNfkDiYnE5Q8M/TKJn2f2jI= +github.com/klauspost/cpuid/v2 v2.2.1/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY= github.com/kolo/xmlrpc v0.0.0-20201022064351-38db28db192b/go.mod h1:pcaDhQK0/NJZEvtCO0qQPPropqV0sJOJ6YW7X+9kRwM= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= @@ -1087,21 +1084,16 @@ github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LE github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII= -github.com/lestrrat-go/backoff/v2 v2.0.8 h1:oNb5E5isby2kiro9AgdHLv5N5tint1AnDVVf2E2un5A= -github.com/lestrrat-go/backoff/v2 v2.0.8/go.mod h1:rHP/q/r9aT27n24JQLa7JhSQZCKBBOiM/uP402WwN8Y= -github.com/lestrrat-go/blackmagic v1.0.0/go.mod h1:TNgH//0vYSs8VXDCfkZLgIrVTTXQELZffUV0tz3MtdQ= github.com/lestrrat-go/blackmagic v1.0.1 h1:lS5Zts+5HIC/8og6cGHb0uCcNCa3OUt1ygh3Qz2Fe80= github.com/lestrrat-go/blackmagic v1.0.1/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU= -github.com/lestrrat-go/codegen v1.0.1/go.mod h1:JhJw6OQAuPEfVKUCLItpaVLumDGWQznd1VaXrBk9TdM= -github.com/lestrrat-go/httpcc v1.0.0/go.mod h1:tGS/u00Vh5N6FHNkExqGGNId8e0Big+++0Gf8MBnAvE= github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE= github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E= -github.com/lestrrat-go/iter v1.0.1/go.mod h1:zIdgO1mRKhn8l9vrZJZz9TUMMFbQbLeTsbqPDrJ/OJc= +github.com/lestrrat-go/httprc v1.0.4 h1:bAZymwoZQb+Oq8MEbyipag7iSq6YIga8Wj6GOiJGdI8= +github.com/lestrrat-go/httprc v1.0.4/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo= github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI= github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4= -github.com/lestrrat-go/jwx v1.2.6/go.mod h1:tJuGuAI3LC71IicTx82Mz1n3w9woAs2bYJZpkjJQ5aU= -github.com/lestrrat-go/jwx v1.2.25 h1:tAx93jN2SdPvFn08fHNAhqFJazn5mBBOB8Zli0g0otA= -github.com/lestrrat-go/jwx v1.2.25/go.mod h1:zoNuZymNl5lgdcu6P7K6ie2QRll5HVfF4xwxBBK1NxY= +github.com/lestrrat-go/jwx/v2 v2.0.7 h1:vNh7cA5pKS/1muWYpM1GeUHBCf/r1UFxYN60iv7LFRA= +github.com/lestrrat-go/jwx/v2 v2.0.7/go.mod h1:zLxnyv9rTlEvOUHbc48FAfIL8iYu2hHvIRaTFGc8mT0= github.com/lestrrat-go/option v1.0.0 h1:WqAWL8kh8VcSoD6xjSH34/1m8yxluXQbDeKNfvFeEO4= github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I= github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo= @@ -1304,13 +1296,13 @@ github.com/openzipkin-contrib/zipkin-go-opentracing v0.4.5/go.mod h1:/wsWhb9smxS github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw= github.com/openzipkin/zipkin-go v0.2.1/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4= github.com/openzipkin/zipkin-go v0.2.2/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4= -github.com/otiai10/copy v1.7.0 h1:hVoPiN+t+7d2nzzwMiDHPSOogsWAStewq3TwU05+clE= -github.com/otiai10/copy v1.7.0/go.mod h1:rmRl6QPdJj6EiUqXQ/4Nn2lLXoNQjFCQbbNrxgc/t3U= +github.com/otiai10/copy v1.9.0 h1:7KFNiCgZ91Ru4qW4CWPf/7jqtxLagGRmIxWldPP9VY4= +github.com/otiai10/copy v1.9.0/go.mod h1:hsfX19wcn0UWIHUQ3/4fHuehhk2UyArQ9dVFAn3FczI= github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE= github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs= github.com/otiai10/mint v1.3.0/go.mod h1:F5AjcsTsWUqX+Na9fpHb52P8pcRX2CI6A3ctIT91xUo= -github.com/otiai10/mint v1.3.3 h1:7JgpsBaN0uMkyju4tbYHu0mnM55hNKVYLsXmwr15NQI= -github.com/otiai10/mint v1.3.3/go.mod h1:/yxELlJQ0ufhjUwhshSj+wFjZ78CnZ48/1wtmBH1OTc= +github.com/otiai10/mint v1.4.0 h1:umwcf7gbpEwf7WFzqmWwSv0CzbeMsae2u9ZvpP8j2q4= +github.com/otiai10/mint v1.4.0/go.mod h1:gifjb2MYOoULtKLqUAEILUG/9KONW6f7YsJ6vQLTlFI= github.com/pact-foundation/pact-go v1.0.4/go.mod h1:uExwJY4kCzNPcHRj+hCR/HBbOOIwwtUjcrb0b5/5kLM= github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc= @@ -1367,8 +1359,8 @@ github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0= github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= github.com/prometheus/client_golang v1.12.2/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY= -github.com/prometheus/client_golang v1.13.1 h1:3gMjIY2+/hzmqhtUC/aQNYldJA6DtH3CgQvwS+02K1c= -github.com/prometheus/client_golang v1.13.1/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5nJFOEMgftOUOmlvYQ= +github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw= +github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y= github.com/prometheus/client_model v0.0.0-20171117100541-99fa1f4be8e5/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= @@ -1453,8 +1445,8 @@ github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo= github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg= github.com/secsy/goftp v0.0.0-20200609142545-aa2de14babf4 h1:PT+ElG/UUFMfqy5HrxJxNzj3QBOf7dZwupeVC+mG1Lo= -github.com/sftpgo/sdk v0.1.3-0.20221105153737-bae9afc6b356 h1:VwFpy5W/pP0X+082xKU2yu4OAwuk8Qqa8j2ofImJ1bM= -github.com/sftpgo/sdk v0.1.3-0.20221105153737-bae9afc6b356/go.mod h1:Giy5vj7Gmju0nGlmBNd28DwPo0G0o1nr9XkE+vu3i+o= +github.com/sftpgo/sdk v0.1.3-0.20221116180328-3fc64e926700 h1:hfUjwmNPMqE9o5oIBxDQZE0FJ8IqlJwVVhATQYwe2Ao= +github.com/sftpgo/sdk v0.1.3-0.20221116180328-3fc64e926700/go.mod h1:Giy5vj7Gmju0nGlmBNd28DwPo0G0o1nr9XkE+vu3i+o= github.com/shirou/gopsutil/v3 v3.22.10 h1:4KMHdfBRYXGF9skjDWiL4RA2N+E8dRdodU/bOZpPoVg= github.com/shirou/gopsutil/v3 v3.22.10/go.mod h1:QNza6r4YQoydyCfo6rH0blGfKahgibh4dQmV5xdFkQk= github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4= @@ -1483,8 +1475,8 @@ github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk= github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4= github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= -github.com/spf13/afero v1.9.2 h1:j49Hj62F0n+DaZ1dDCvhABaPNSGNkt32oRFxI33IEMw= -github.com/spf13/afero v1.9.2/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y= +github.com/spf13/afero v1.9.3 h1:41FoI0fD7OR7mGcKE/aOiLkGreyf8ifIOQmJANWogMk= +github.com/spf13/afero v1.9.3/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y= github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE= github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w= @@ -1506,8 +1498,8 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE= github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg= -github.com/spf13/viper v1.13.0 h1:BWSJ/M+f+3nmdz9bxB+bWX28kkALN2ok11D0rSo8EJU= -github.com/spf13/viper v1.13.0/go.mod h1:Icm2xNL3/8uyh/wFuB1jI7TiTNKp8632Nwegu+zgdYw= +github.com/spf13/viper v1.14.0 h1:Rg7d3Lo706X9tHsJMUjdiwMpHB7W8WnSVOssIY+JElU= +github.com/spf13/viper v1.14.0/go.mod h1:WT//axPky3FdvXHzGw33dNdXXXfFQqmEalje+egj8As= github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980/go.mod h1:AO3tvPzVZ/ayst6UlUKUv6rcPQInYe3IknH3jYhAKu8= github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8= github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw= @@ -1532,8 +1524,8 @@ github.com/stretchr/testify v1.7.5/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/studio-b12/gowebdav v0.0.0-20221102155456-200a600c0272 h1:dXbdJSdxf0EnR4SkcsfRNuGCvoEk9lavXbSCFXN2gJc= -github.com/studio-b12/gowebdav v0.0.0-20221102155456-200a600c0272/go.mod h1:bHA7t77X/QFExdeAnDzK6vKM34kEZAcE1OX4MfiwjkE= +github.com/studio-b12/gowebdav v0.0.0-20221109171924-60ec5ad56012 h1:ZC+dlnsjxqrcB68nEFbIEfo4iXsog3Sg8FlXKytAjhY= +github.com/studio-b12/gowebdav v0.0.0-20221109171924-60ec5ad56012/go.mod h1:bHA7t77X/QFExdeAnDzK6vKM34kEZAcE1OX4MfiwjkE= github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw= github.com/subosito/gotenv v1.4.1 h1:jyEFiXpy21Wm81FBN71l9VoMMV8H8jG+qIK3GCpY6Qs= github.com/subosito/gotenv v1.4.1/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0= @@ -1543,11 +1535,12 @@ github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG github.com/tchap/go-patricia v2.2.6+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I= github.com/tedsuo/ifrit v0.0.0-20180802180643-bea94bb476cc/go.mod h1:eyZnKCc955uh98WQvzOm0dgAeLnf2O0Rz0LPoC5ze+0= github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk= -github.com/tklauser/go-sysconf v0.3.10 h1:IJ1AZGZRWbY8T5Vfk04D9WOA5WSejdflXxP03OUqALw= github.com/tklauser/go-sysconf v0.3.10/go.mod h1:C8XykCvCb+Gn0oNCWPIlcb0RuglQTYaQ2hGm7jmxEFk= +github.com/tklauser/go-sysconf v0.3.11 h1:89WgdJhk5SNwJfu+GKyYveZ4IaJ7xAkecBo+KdJV0CM= +github.com/tklauser/go-sysconf v0.3.11/go.mod h1:GqXfhXY3kiPa0nAXPDIQIWzJbMCB7AmcWpGR8lSZfqI= github.com/tklauser/numcpus v0.4.0/go.mod h1:1+UI3pD8NW14VMwdgJNJ1ESk2UnwhAnz5hMwiKKqXCQ= -github.com/tklauser/numcpus v0.5.0 h1:ooe7gN0fg6myJ0EKoTAf5hebTZrH52px3New/D9iJ+A= -github.com/tklauser/numcpus v0.5.0/go.mod h1:OGzpTxpcIMNGYQdit2BYL1pvk/dSOaJWjKoflh+RQjo= +github.com/tklauser/numcpus v0.6.0 h1:kebhY2Qt+3U6RNK7UqpYNA+tJ23IBEGKkB7JQBfDYms= +github.com/tklauser/numcpus v0.6.0/go.mod h1:FEZLMke0lhOUG6w2JadTzp0a+Nl8PF/GFkQ5UVIcaL4= github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U= @@ -1583,8 +1576,8 @@ github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU= github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ= github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs= -github.com/xhit/go-simple-mail/v2 v2.12.0 h1:KweA6NO8Z6fZyeckMPNpvElU6QDIyBShlpce1sYUZgg= -github.com/xhit/go-simple-mail/v2 v2.12.0/go.mod h1:b7P5ygho6SYE+VIqpxA6QkYfv4teeyG4MKqB3utRu98= +github.com/xhit/go-simple-mail/v2 v2.13.0 h1:OANWU9jHZrVfBkNkvLf8Ww0fexwpQVF/v/5f96fFTLI= +github.com/xhit/go-simple-mail/v2 v2.13.0/go.mod h1:b7P5ygho6SYE+VIqpxA6QkYfv4teeyG4MKqB3utRu98= github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU= github.com/xlab/treeprint v1.1.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0= github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q= @@ -1741,8 +1734,8 @@ golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro= golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.6.0 h1:b9gGHsz9/HhJ3HF5DHQytPpuwocVTChQJK3AvoLRD5I= -golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI= +golang.org/x/mod v0.7.0 h1:LapD9S96VoQRhi/GrNTqeBJFrUjs5UHCAtTlgwA5oZA= +golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1819,8 +1812,9 @@ golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.0.0-20220802222814-0bcc04d9c69b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk= -golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0= golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= +golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU= +golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1847,8 +1841,8 @@ golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2/go.mod h1:jaDAt6Dkxork7Lm golang.org/x/oauth2 v0.0.0-20220628200809-02e64fa58f26/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE= golang.org/x/oauth2 v0.0.0-20220722155238-128564f6959c/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg= -golang.org/x/oauth2 v0.1.0 h1:isLCZuhj4v+tYv7eskaN4v/TM+A1begWWgyVJDdl1+Y= -golang.org/x/oauth2 v0.1.0/go.mod h1:G9FE4dLTsbXUu90h/Pf85g4w1D+SSAgR+q46nJZ8M4A= +golang.org/x/oauth2 v0.2.0 h1:GtQkldQ9m7yvzCL1V+LrYow3Khe0eJH0w7RbX/VbaIU= +golang.org/x/oauth2 v0.2.0/go.mod h1:Cwn6afJ8jrQwYMxQDTpISoXmXW9I6qF6vDeuuoX3Ibs= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -2004,19 +1998,21 @@ golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220627191245-f75cf1eec38b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A= +golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= -golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw= golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/term v0.2.0 h1:z85xZCsEl7bi/KwbNADeBYoOP0++7W1ipu+aGnpwzRM= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -2040,8 +2036,8 @@ golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxb golang.org/x/time v0.0.0-20220224211638-0e9765cccd65/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20220609170525-579cf78fd858/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.1.0 h1:xYY+Bajn2a7VBmTM5GikTmnK8ZuX8YgnQCqZpbBNtmA= -golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.2.0 h1:52I/1L54xyEQAYdtcSuxtiT84KGYTBGXwayxmIpNJhE= +golang.org/x/time v0.2.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= @@ -2108,7 +2104,6 @@ golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE= golang.org/x/tools v0.0.0-20200916195026-c9a70fc28ce3/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU= -golang.org/x/tools v0.0.0-20200918232735-d647fc253266/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU= golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= @@ -2116,7 +2111,6 @@ golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.0.0-20210114065538-d78b04bdf963/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= @@ -2128,8 +2122,8 @@ golang.org/x/tools v0.1.9/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU= golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E= golang.org/x/tools v0.1.11/go.mod h1:SgwaegtQh8clINPpECJMqnxLv9I09HLqnW3RMqW0CA4= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.2.0 h1:G6AHpWxTMGY1KyEYoAQ5WTtIekUUvDNjan3ugu60JvE= -golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA= +golang.org/x/tools v0.3.0 h1:SrNbZl6ECOS1qFzgTdQfWXZM9XBkiA6tkFrH9YSTPHM= +golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k= golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= @@ -2189,8 +2183,8 @@ google.golang.org/api v0.85.0/go.mod h1:AqZf8Ep9uZ2pyTvgL+x0D3Zt0eoT9b5E8fmzfu6F google.golang.org/api v0.86.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw= google.golang.org/api v0.90.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw= google.golang.org/api v0.91.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw= -google.golang.org/api v0.102.0 h1:JxJl2qQ85fRMPNvlZY/enexbxpCjLwGhZUtgfGeQ51I= -google.golang.org/api v0.102.0/go.mod h1:3VFl6/fzoA+qNuS1N1/VfXY4LjoXN/wzeIp7TweWwGo= +google.golang.org/api v0.103.0 h1:9yuVqlu2JCvcLg9p8S3fcFLZij8EPSyvODIY1rkMizQ= +google.golang.org/api v0.103.0/go.mod h1:hGtW6nK1AC+d9si/UBhw8Xli+QMOf6xyNAyJw4qU9w0= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -2301,8 +2295,8 @@ google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad/go.mod h1:KEWEmljW google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= google.golang.org/genproto v0.0.0-20220628213854-d9e0b6570c03/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= google.golang.org/genproto v0.0.0-20220802133213-ce4fa296bf78/go.mod h1:iHe1svFLAZg9VWz891+QbRMwUv9O/1Ww+/mngYeThbc= -google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c h1:QgY/XxIAIeccR+Ca/rDdKubLIU9rcJ3xfy1DC/Wd2Oo= -google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c/go.mod h1:CGI5F/G+E5bKwmfYo09AXuVN4dD894kIKUFmVbP2/Fo= +google.golang.org/genproto v0.0.0-20221114212237-e4508ebdbee1 h1:jCw9YRd2s40X9Vxi4zKsPRvSPlHWNqadVkpbMsCPzPQ= +google.golang.org/genproto v0.0.0-20221114212237-e4508ebdbee1/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg= google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= diff --git a/internal/cmd/initprovider.go b/internal/cmd/initprovider.go index ec1afeae..7c9c24a3 100644 --- a/internal/cmd/initprovider.go +++ b/internal/cmd/initprovider.go @@ -65,6 +65,12 @@ Please take a look at the usage below to customize the options.`, logger.ErrorToConsole("Unable to initialize KMS: %v", err) os.Exit(1) } + mfaConfig := config.GetMFAConfig() + err = mfaConfig.Initialize() + if err != nil { + logger.ErrorToConsole("Unable to initialize MFA: %v", err) + os.Exit(1) + } providerConf := config.GetProviderConf() // ignore actions providerConf.Actions.Hook = "" diff --git a/internal/cmd/resetprovider.go b/internal/cmd/resetprovider.go index d274ecda..cc372a1d 100644 --- a/internal/cmd/resetprovider.go +++ b/internal/cmd/resetprovider.go @@ -56,7 +56,7 @@ Please take a look at the usage below to customize the options.`, } providerConf := config.GetProviderConf() if !resetProviderForce { - logger.WarnToConsole("You are about to delete all the SFTPGo data for provider %#v, config file: %#v", + logger.WarnToConsole("You are about to delete all the SFTPGo data for provider %q, config file: %q", providerConf.Driver, viper.ConfigFileUsed()) logger.WarnToConsole("Are you sure? (Y/n)") reader := bufio.NewReader(os.Stdin) @@ -70,7 +70,7 @@ Please take a look at the usage below to customize the options.`, os.Exit(1) } } - logger.InfoToConsole("Resetting provider: %#v, config file: %#v", providerConf.Driver, viper.ConfigFileUsed()) + logger.InfoToConsole("Resetting provider: %q, config file: %q", providerConf.Driver, viper.ConfigFileUsed()) err = dataprovider.ResetDatabase(providerConf, configDir) if err != nil { logger.WarnToConsole("Error resetting provider: %v", err) diff --git a/internal/cmd/revertprovider.go b/internal/cmd/revertprovider.go index 7414a632..670cba68 100644 --- a/internal/cmd/revertprovider.go +++ b/internal/cmd/revertprovider.go @@ -40,8 +40,8 @@ Please take a look at the usage below to customize the options.`, Run: func(_ *cobra.Command, _ []string) { logger.DisableLogger() logger.EnableConsoleLogger(zerolog.DebugLevel) - if revertProviderTargetVersion != 19 { - logger.WarnToConsole("Unsupported target version, 19 is the only supported one") + if revertProviderTargetVersion != 23 { + logger.WarnToConsole("Unsupported target version, 23 is the only supported one") os.Exit(1) } configDir = util.CleanDirInput(configDir) @@ -57,7 +57,7 @@ Please take a look at the usage below to customize the options.`, os.Exit(1) } providerConf := config.GetProviderConf() - logger.InfoToConsole("Reverting provider: %#v config file: %#v target version %v", providerConf.Driver, + logger.InfoToConsole("Reverting provider: %q config file: %q target version %d", providerConf.Driver, viper.ConfigFileUsed(), revertProviderTargetVersion) err = dataprovider.RevertDatabase(providerConf, configDir, revertProviderTargetVersion) if err != nil { @@ -71,7 +71,7 @@ Please take a look at the usage below to customize the options.`, func init() { addConfigFlags(revertProviderCmd) - revertProviderCmd.Flags().IntVar(&revertProviderTargetVersion, "to-version", 19, `19 means the version supported in v2.3.x`) + revertProviderCmd.Flags().IntVar(&revertProviderTargetVersion, "to-version", 23, `23 means the version supported in v2.4.x`) rootCmd.AddCommand(revertProviderCmd) } diff --git a/internal/cmd/startsubsys.go b/internal/cmd/startsubsys.go index 15c21549..f04ad692 100644 --- a/internal/cmd/startsubsys.go +++ b/internal/cmd/startsubsys.go @@ -137,7 +137,7 @@ Command-line flags should be specified in the Subsystem declaration. logger.Error(logSender, connectionID, "unable to initialize commands configuration: %v", err) os.Exit(1) } - user, err := dataprovider.UserExists(username) + user, err := dataprovider.UserExists(username, "") if err == nil { if user.HomeDir != filepath.Clean(homedir) && !preserveHomeDir { // update the user diff --git a/internal/common/common.go b/internal/common/common.go index 1ec32289..f8ceabf6 100644 --- a/internal/common/common.go +++ b/internal/common/common.go @@ -417,6 +417,7 @@ type ActiveTransfer interface { type ActiveConnection interface { GetID() string GetUsername() string + GetRole() string GetMaxSessions() int GetLocalAddress() string GetRemoteAddress() string @@ -945,7 +946,7 @@ func (conns *ActiveConnections) Remove(connectionID string) { // Close closes an active connection. // It returns true on success -func (conns *ActiveConnections) Close(connectionID string) bool { +func (conns *ActiveConnections) Close(connectionID, role string) bool { conns.RLock() var result bool @@ -953,11 +954,13 @@ func (conns *ActiveConnections) Close(connectionID string) bool { if idx, ok := conns.mapping[connectionID]; ok { c := conns.connections[idx] - defer func(conn ActiveConnection) { - err := conn.Disconnect() - logger.Debug(conn.GetProtocol(), conn.GetID(), "close connection requested, close err: %v", err) - }(c) - result = true + if role == "" || c.GetRole() == role { + defer func(conn ActiveConnection) { + err := conn.Disconnect() + logger.Debug(conn.GetProtocol(), conn.GetID(), "close connection requested, close err: %v", err) + }(c) + result = true + } } conns.RUnlock() @@ -1161,26 +1164,28 @@ func (conns *ActiveConnections) IsNewConnectionAllowed(ipAddr string) error { } // GetStats returns stats for active connections -func (conns *ActiveConnections) GetStats() []ConnectionStatus { +func (conns *ActiveConnections) GetStats(role string) []ConnectionStatus { conns.RLock() defer conns.RUnlock() stats := make([]ConnectionStatus, 0, len(conns.connections)) node := dataprovider.GetNodeName() for _, c := range conns.connections { - stat := ConnectionStatus{ - Username: c.GetUsername(), - ConnectionID: c.GetID(), - ClientVersion: c.GetClientVersion(), - RemoteAddress: c.GetRemoteAddress(), - ConnectionTime: util.GetTimeAsMsSinceEpoch(c.GetConnectionTime()), - LastActivity: util.GetTimeAsMsSinceEpoch(c.GetLastActivity()), - Protocol: c.GetProtocol(), - Command: c.GetCommand(), - Transfers: c.GetTransfers(), - Node: node, + if role == "" || c.GetRole() == role { + stat := ConnectionStatus{ + Username: c.GetUsername(), + ConnectionID: c.GetID(), + ClientVersion: c.GetClientVersion(), + RemoteAddress: c.GetRemoteAddress(), + ConnectionTime: util.GetTimeAsMsSinceEpoch(c.GetConnectionTime()), + LastActivity: util.GetTimeAsMsSinceEpoch(c.GetLastActivity()), + Protocol: c.GetProtocol(), + Command: c.GetCommand(), + Transfers: c.GetTransfers(), + Node: node, + } + stats = append(stats, stat) } - stats = append(stats, stat) } return stats } @@ -1253,7 +1258,8 @@ type ActiveQuotaScan struct { // Username to which the quota scan refers Username string `json:"username"` // quota scan start time as unix timestamp in milliseconds - StartTime int64 `json:"start_time"` + StartTime int64 `json:"start_time"` + Role string `json:"-"` } // ActiveVirtualFolderQuotaScan defines an active quota scan for a virtual folder @@ -1272,18 +1278,26 @@ type ActiveScans struct { } // GetUsersQuotaScans returns the active users quota scans -func (s *ActiveScans) GetUsersQuotaScans() []ActiveQuotaScan { +func (s *ActiveScans) GetUsersQuotaScans(role string) []ActiveQuotaScan { s.RLock() defer s.RUnlock() - scans := make([]ActiveQuotaScan, len(s.UserScans)) - copy(scans, s.UserScans) + scans := make([]ActiveQuotaScan, 0, len(s.UserScans)) + for _, scan := range s.UserScans { + if role == "" || role == scan.Role { + scans = append(scans, ActiveQuotaScan{ + Username: scan.Username, + StartTime: scan.StartTime, + }) + } + } + return scans } // AddUserQuotaScan adds a user to the ones with active quota scans. // Returns false if the user has a quota scan already running -func (s *ActiveScans) AddUserQuotaScan(username string) bool { +func (s *ActiveScans) AddUserQuotaScan(username, role string) bool { s.Lock() defer s.Unlock() @@ -1295,6 +1309,7 @@ func (s *ActiveScans) AddUserQuotaScan(username string) bool { s.UserScans = append(s.UserScans, ActiveQuotaScan{ Username: username, StartTime: util.GetTimeAsMsSinceEpoch(time.Now()), + Role: role, }) return true } @@ -1367,7 +1382,8 @@ type MetadataCheck struct { // Username to which the metadata check refers Username string `json:"username"` // check start time as unix timestamp in milliseconds - StartTime int64 `json:"start_time"` + StartTime int64 `json:"start_time"` + Role string `json:"-"` } // MetadataChecks holds the active metadata checks @@ -1377,19 +1393,26 @@ type MetadataChecks struct { } // Get returns the active metadata checks -func (c *MetadataChecks) Get() []MetadataCheck { +func (c *MetadataChecks) Get(role string) []MetadataCheck { c.RLock() defer c.RUnlock() - checks := make([]MetadataCheck, len(c.checks)) - copy(checks, c.checks) + checks := make([]MetadataCheck, 0, len(c.checks)) + for _, check := range c.checks { + if role == "" || role == check.Role { + checks = append(checks, MetadataCheck{ + Username: check.Username, + StartTime: check.StartTime, + }) + } + } return checks } // Add adds a user to the ones with active metadata checks. // Return false if a metadata check is already active for the specified user -func (c *MetadataChecks) Add(username string) bool { +func (c *MetadataChecks) Add(username, role string) bool { c.Lock() defer c.Unlock() @@ -1402,6 +1425,7 @@ func (c *MetadataChecks) Add(username string) bool { c.checks = append(c.checks, MetadataCheck{ Username: username, StartTime: util.GetTimeAsMsSinceEpoch(time.Now()), + Role: role, }) return true diff --git a/internal/common/common_test.go b/internal/common/common_test.go index 2c0d1375..d5a5c156 100644 --- a/internal/common/common_test.go +++ b/internal/common/common_test.go @@ -540,7 +540,7 @@ func TestUserMaxSessions(t *testing.T) { Connections.Lock() Connections.removeUserConnection(userTestUsername) Connections.Unlock() - assert.Len(t, Connections.GetStats(), 0) + assert.Len(t, Connections.GetStats(""), 0) } func TestMaxConnections(t *testing.T) { @@ -562,12 +562,12 @@ func TestMaxConnections(t *testing.T) { } err := Connections.Add(fakeConn) assert.NoError(t, err) - assert.Len(t, Connections.GetStats(), 1) + assert.Len(t, Connections.GetStats(""), 1) assert.Error(t, Connections.IsNewConnectionAllowed(ipAddr)) - res := Connections.Close(fakeConn.GetID()) + res := Connections.Close(fakeConn.GetID(), "") assert.True(t, res) - assert.Eventually(t, func() bool { return len(Connections.GetStats()) == 0 }, 300*time.Millisecond, 50*time.Millisecond) + assert.Eventually(t, func() bool { return len(Connections.GetStats("")) == 0 }, 300*time.Millisecond, 50*time.Millisecond) assert.NoError(t, Connections.IsNewConnectionAllowed(ipAddr)) Connections.AddClientConnection(ipAddr) @@ -580,6 +580,33 @@ func TestMaxConnections(t *testing.T) { Config.MaxTotalConnections = oldValue } +func TestConnectionRoles(t *testing.T) { + username := "testUsername" + role1 := "testRole1" + role2 := "testRole2" + c := NewBaseConnection("id", ProtocolSFTP, "", "", dataprovider.User{ + BaseUser: sdk.BaseUser{ + Username: username, + Role: role1, + }, + }) + fakeConn := &fakeConnection{ + BaseConnection: c, + } + err := Connections.Add(fakeConn) + assert.NoError(t, err) + assert.Len(t, Connections.GetStats(""), 1) + assert.Len(t, Connections.GetStats(role1), 1) + assert.Len(t, Connections.GetStats(role2), 0) + + res := Connections.Close(fakeConn.GetID(), role2) + assert.False(t, res) + assert.Len(t, Connections.GetStats(""), 1) + res = Connections.Close(fakeConn.GetID(), role1) + assert.True(t, res) + assert.Eventually(t, func() bool { return len(Connections.GetStats("")) == 0 }, 300*time.Millisecond, 50*time.Millisecond) +} + func TestMaxConnectionPerHost(t *testing.T) { oldValue := Config.MaxPerHostConnections @@ -660,7 +687,7 @@ func TestIdleConnections(t *testing.T) { err = Connections.Add(fakeConn) assert.NoError(t, err) assert.Equal(t, Connections.GetActiveSessions(username), 2) - assert.Len(t, Connections.GetStats(), 3) + assert.Len(t, Connections.GetStats(""), 3) Connections.RLock() assert.Len(t, Connections.sshConnections, 2) Connections.RUnlock() @@ -673,12 +700,12 @@ func TestIdleConnections(t *testing.T) { return len(Connections.sshConnections) == 1 }, 1*time.Second, 200*time.Millisecond) stopEventScheduler() - assert.Len(t, Connections.GetStats(), 2) + assert.Len(t, Connections.GetStats(""), 2) c.lastActivity.Store(time.Now().Add(-24 * time.Hour).UnixNano()) cFTP.lastActivity.Store(time.Now().Add(-24 * time.Hour).UnixNano()) sshConn2.lastActivity.Store(c.lastActivity.Load()) startPeriodicChecks(100 * time.Millisecond) - assert.Eventually(t, func() bool { return len(Connections.GetStats()) == 0 }, 2*time.Second, 200*time.Millisecond) + assert.Eventually(t, func() bool { return len(Connections.GetStats("")) == 0 }, 2*time.Second, 200*time.Millisecond) assert.Eventually(t, func() bool { Connections.RLock() defer Connections.RUnlock() @@ -700,11 +727,11 @@ func TestCloseConnection(t *testing.T) { assert.NoError(t, Connections.IsNewConnectionAllowed("127.0.0.1")) err := Connections.Add(fakeConn) assert.NoError(t, err) - assert.Len(t, Connections.GetStats(), 1) - res := Connections.Close(fakeConn.GetID()) + assert.Len(t, Connections.GetStats(""), 1) + res := Connections.Close(fakeConn.GetID(), "") assert.True(t, res) - assert.Eventually(t, func() bool { return len(Connections.GetStats()) == 0 }, 300*time.Millisecond, 50*time.Millisecond) - res = Connections.Close(fakeConn.GetID()) + assert.Eventually(t, func() bool { return len(Connections.GetStats("")) == 0 }, 300*time.Millisecond, 50*time.Millisecond) + res = Connections.Close(fakeConn.GetID(), "") assert.False(t, res) Connections.Remove(fakeConn.GetID()) } @@ -716,8 +743,8 @@ func TestSwapConnection(t *testing.T) { } err := Connections.Add(fakeConn) assert.NoError(t, err) - if assert.Len(t, Connections.GetStats(), 1) { - assert.Equal(t, "", Connections.GetStats()[0].Username) + if assert.Len(t, Connections.GetStats(""), 1) { + assert.Equal(t, "", Connections.GetStats("")[0].Username) } c = NewBaseConnection("id", ProtocolFTP, "", "", dataprovider.User{ BaseUser: sdk.BaseUser{ @@ -743,12 +770,12 @@ func TestSwapConnection(t *testing.T) { Connections.Remove(fakeConn1.ID) err = Connections.Swap(fakeConn) assert.NoError(t, err) - if assert.Len(t, Connections.GetStats(), 1) { - assert.Equal(t, userTestUsername, Connections.GetStats()[0].Username) + if assert.Len(t, Connections.GetStats(""), 1) { + assert.Equal(t, userTestUsername, Connections.GetStats("")[0].Username) } - res := Connections.Close(fakeConn.GetID()) + res := Connections.Close(fakeConn.GetID(), "") assert.True(t, res) - assert.Eventually(t, func() bool { return len(Connections.GetStats()) == 0 }, 300*time.Millisecond, 50*time.Millisecond) + assert.Eventually(t, func() bool { return len(Connections.GetStats("")) == 0 }, 300*time.Millisecond, 50*time.Millisecond) err = Connections.Swap(fakeConn) assert.Error(t, err) } @@ -800,7 +827,7 @@ func TestConnectionStatus(t *testing.T) { err = Connections.Add(fakeConn3) assert.NoError(t, err) - stats := Connections.GetStats() + stats := Connections.GetStats("") assert.Len(t, stats, 3) for _, stat := range stats { assert.Equal(t, stat.Username, username) @@ -838,24 +865,24 @@ func TestConnectionStatus(t *testing.T) { assert.Error(t, err) Connections.Remove(fakeConn1.GetID()) - stats = Connections.GetStats() + stats = Connections.GetStats("") assert.Len(t, stats, 2) assert.Equal(t, fakeConn3.GetID(), stats[0].ConnectionID) assert.Equal(t, fakeConn2.GetID(), stats[1].ConnectionID) Connections.Remove(fakeConn2.GetID()) - stats = Connections.GetStats() + stats = Connections.GetStats("") assert.Len(t, stats, 1) assert.Equal(t, fakeConn3.GetID(), stats[0].ConnectionID) Connections.Remove(fakeConn3.GetID()) - stats = Connections.GetStats() + stats = Connections.GetStats("") assert.Len(t, stats, 0) } func TestQuotaScans(t *testing.T) { username := "username" - assert.True(t, QuotaScans.AddUserQuotaScan(username)) - assert.False(t, QuotaScans.AddUserQuotaScan(username)) - usersScans := QuotaScans.GetUsersQuotaScans() + assert.True(t, QuotaScans.AddUserQuotaScan(username, "")) + assert.False(t, QuotaScans.AddUserQuotaScan(username, "")) + usersScans := QuotaScans.GetUsersQuotaScans("") if assert.Len(t, usersScans, 1) { assert.Equal(t, usersScans[0].Username, username) assert.Equal(t, QuotaScans.UserScans[0].StartTime, usersScans[0].StartTime) @@ -865,7 +892,7 @@ func TestQuotaScans(t *testing.T) { assert.True(t, QuotaScans.RemoveUserQuotaScan(username)) assert.False(t, QuotaScans.RemoveUserQuotaScan(username)) - assert.Len(t, QuotaScans.GetUsersQuotaScans(), 0) + assert.Len(t, QuotaScans.GetUsersQuotaScans(""), 0) assert.Len(t, usersScans, 1) folderName := "folder" @@ -880,6 +907,24 @@ func TestQuotaScans(t *testing.T) { assert.Len(t, QuotaScans.GetVFoldersQuotaScans(), 0) } +func TestQuotaScansRole(t *testing.T) { + username := "u" + role1 := "r1" + role2 := "r2" + assert.True(t, QuotaScans.AddUserQuotaScan(username, role1)) + assert.False(t, QuotaScans.AddUserQuotaScan(username, "")) + usersScans := QuotaScans.GetUsersQuotaScans("") + assert.Len(t, usersScans, 1) + assert.Empty(t, usersScans[0].Role) + usersScans = QuotaScans.GetUsersQuotaScans(role1) + assert.Len(t, usersScans, 1) + usersScans = QuotaScans.GetUsersQuotaScans(role2) + assert.Len(t, usersScans, 0) + assert.True(t, QuotaScans.RemoveUserQuotaScan(username)) + assert.False(t, QuotaScans.RemoveUserQuotaScan(username)) + assert.Len(t, QuotaScans.GetUsersQuotaScans(""), 0) +} + func TestProxyProtocolVersion(t *testing.T) { c := Configuration{ ProxyProtocol: 0, @@ -1342,13 +1387,13 @@ func TestUpdateTransferTimestamps(t *testing.T) { err = dataprovider.UpdateUserTransferTimestamps(username, true) assert.NoError(t, err) - userGet, err := dataprovider.UserExists(username) + userGet, err := dataprovider.UserExists(username, "") assert.NoError(t, err) assert.Greater(t, userGet.FirstUpload, int64(0)) assert.Equal(t, int64(0), user.FirstDownload) err = dataprovider.UpdateUserTransferTimestamps(username, false) assert.NoError(t, err) - userGet, err = dataprovider.UserExists(username) + userGet, err = dataprovider.UserExists(username, "") assert.NoError(t, err) assert.Greater(t, userGet.FirstUpload, int64(0)) assert.Greater(t, userGet.FirstDownload, int64(0)) @@ -1358,23 +1403,40 @@ func TestUpdateTransferTimestamps(t *testing.T) { err = dataprovider.UpdateUserTransferTimestamps(username, false) assert.Error(t, err) // cleanup - err = dataprovider.DeleteUser(username, "", "") + err = dataprovider.DeleteUser(username, "", "", "") assert.NoError(t, err) } func TestMetadataAPI(t *testing.T) { username := "metadatauser" require.False(t, ActiveMetadataChecks.Remove(username)) - require.True(t, ActiveMetadataChecks.Add(username)) - require.False(t, ActiveMetadataChecks.Add(username)) - checks := ActiveMetadataChecks.Get() + require.True(t, ActiveMetadataChecks.Add(username, "")) + require.False(t, ActiveMetadataChecks.Add(username, "")) + checks := ActiveMetadataChecks.Get("") require.Len(t, checks, 1) checks[0].Username = username + "a" - checks = ActiveMetadataChecks.Get() + checks = ActiveMetadataChecks.Get("") require.Len(t, checks, 1) require.Equal(t, username, checks[0].Username) require.True(t, ActiveMetadataChecks.Remove(username)) - require.Len(t, ActiveMetadataChecks.Get(), 0) + require.Len(t, ActiveMetadataChecks.Get(""), 0) +} + +func TestMetadataAPIRole(t *testing.T) { + username := "muser" + role1 := "r1" + role2 := "r2" + require.True(t, ActiveMetadataChecks.Add(username, role2)) + require.False(t, ActiveMetadataChecks.Add(username, "")) + checks := ActiveMetadataChecks.Get("") + require.Len(t, checks, 1) + assert.Empty(t, checks[0].Role) + checks = ActiveMetadataChecks.Get(role1) + require.Len(t, checks, 0) + checks = ActiveMetadataChecks.Get(role2) + require.Len(t, checks, 1) + require.True(t, ActiveMetadataChecks.Remove(username)) + require.Len(t, ActiveMetadataChecks.Get(""), 0) } func BenchmarkBcryptHashing(b *testing.B) { diff --git a/internal/common/connection.go b/internal/common/connection.go index 24a3db07..7c4d81d1 100644 --- a/internal/common/connection.go +++ b/internal/common/connection.go @@ -98,6 +98,11 @@ func (c *BaseConnection) GetUsername() string { return c.User.Username } +// GetRole returns the role for the user associated with this connection +func (c *BaseConnection) GetRole() string { + return c.User.Role +} + // GetMaxSessions returns the maximum number of concurrent sessions allowed func (c *BaseConnection) GetMaxSessions() int { return c.User.MaxSessions diff --git a/internal/common/dataretention.go b/internal/common/dataretention.go index b58768d2..1c641ed5 100644 --- a/internal/common/dataretention.go +++ b/internal/common/dataretention.go @@ -62,23 +62,25 @@ type ActiveRetentionChecks struct { } // Get returns the active retention checks -func (c *ActiveRetentionChecks) Get() []RetentionCheck { +func (c *ActiveRetentionChecks) Get(role string) []RetentionCheck { c.RLock() defer c.RUnlock() checks := make([]RetentionCheck, 0, len(c.Checks)) for _, check := range c.Checks { - foldersCopy := make([]dataprovider.FolderRetention, len(check.Folders)) - copy(foldersCopy, check.Folders) - notificationsCopy := make([]string, len(check.Notifications)) - copy(notificationsCopy, check.Notifications) - checks = append(checks, RetentionCheck{ - Username: check.Username, - StartTime: check.StartTime, - Notifications: notificationsCopy, - Email: check.Email, - Folders: foldersCopy, - }) + if role == "" || role == check.Role { + foldersCopy := make([]dataprovider.FolderRetention, len(check.Folders)) + copy(foldersCopy, check.Folders) + notificationsCopy := make([]string, len(check.Notifications)) + copy(notificationsCopy, check.Notifications) + checks = append(checks, RetentionCheck{ + Username: check.Username, + StartTime: check.StartTime, + Notifications: notificationsCopy, + Email: check.Email, + Folders: foldersCopy, + }) + } } return checks } @@ -100,6 +102,7 @@ func (c *ActiveRetentionChecks) Add(check RetentionCheck, user *dataprovider.Use conn.SetProtocol(ProtocolDataRetention) conn.ID = fmt.Sprintf("data_retention_%v", user.Username) check.Username = user.Username + check.Role = user.Role check.StartTime = util.GetTimeAsMsSinceEpoch(time.Now()) check.conn = conn check.updateUserPermissions() @@ -148,6 +151,7 @@ type RetentionCheck struct { Notifications []RetentionCheckNotification `json:"notifications,omitempty"` // email to use if the notification method is set to email Email string `json:"email,omitempty"` + Role string `json:"-"` // Cleanup results results []folderRetentionCheckResult `json:"-"` conn *BaseConnection diff --git a/internal/common/dataretention_test.go b/internal/common/dataretention_test.go index 3b7dc9a3..a9c33933 100644 --- a/internal/common/dataretention_test.go +++ b/internal/common/dataretention_test.go @@ -316,7 +316,7 @@ func TestRetentionCheckAddRemove(t *testing.T) { Notifications: []RetentionCheckNotification{RetentionCheckNotificationHook}, } assert.NotNil(t, RetentionChecks.Add(check, &user)) - checks := RetentionChecks.Get() + checks := RetentionChecks.Get("") require.Len(t, checks, 1) assert.Equal(t, username, checks[0].Username) assert.Greater(t, checks[0].StartTime, int64(0)) @@ -328,10 +328,45 @@ func TestRetentionCheckAddRemove(t *testing.T) { assert.Nil(t, RetentionChecks.Add(check, &user)) assert.True(t, RetentionChecks.remove(username)) - require.Len(t, RetentionChecks.Get(), 0) + require.Len(t, RetentionChecks.Get(""), 0) assert.False(t, RetentionChecks.remove(username)) } +func TestRetentionCheckRole(t *testing.T) { + username := "retuser" + role1 := "retrole1" + role2 := "retrole2" + user := dataprovider.User{ + BaseUser: sdk.BaseUser{ + Username: username, + Role: role1, + }, + } + user.Permissions = make(map[string][]string) + user.Permissions["/"] = []string{dataprovider.PermAny} + check := RetentionCheck{ + Folders: []dataprovider.FolderRetention{ + { + Path: "/", + Retention: 48, + }, + }, + Notifications: []RetentionCheckNotification{RetentionCheckNotificationHook}, + } + assert.NotNil(t, RetentionChecks.Add(check, &user)) + checks := RetentionChecks.Get("") + require.Len(t, checks, 1) + assert.Empty(t, checks[0].Role) + checks = RetentionChecks.Get(role1) + require.Len(t, checks, 1) + checks = RetentionChecks.Get(role2) + require.Len(t, checks, 0) + user.Role = "" + assert.Nil(t, RetentionChecks.Add(check, &user)) + assert.True(t, RetentionChecks.remove(username)) + require.Len(t, RetentionChecks.Get(""), 0) +} + func TestCleanupErrors(t *testing.T) { user := dataprovider.User{ BaseUser: sdk.BaseUser{ diff --git a/internal/common/eventmanager.go b/internal/common/eventmanager.go index 58214e93..0f9a7827 100644 --- a/internal/common/eventmanager.go +++ b/internal/common/eventmanager.go @@ -531,7 +531,7 @@ func (p *EventParams) getUserFromSender() (dataprovider.User, error) { }, }, nil } - user, err := dataprovider.UserExists(p.sender) + user, err := dataprovider.UserExists(p.sender, "") if err != nil { eventManagerLog(logger.LevelError, "unable to get user %q: %+v", p.sender, err) return user, fmt.Errorf("error getting user %q", p.sender) @@ -1652,7 +1652,7 @@ func executeQuotaResetForUser(user dataprovider.User) error { user.Username, err) return err } - if !QuotaScans.AddUserQuotaScan(user.Username) { + if !QuotaScans.AddUserQuotaScan(user.Username, user.Role) { eventManagerLog(logger.LevelError, "another quota scan is already in progress for user %q", user.Username) return fmt.Errorf("another quota scan is in progress for user %q", user.Username) } @@ -1874,7 +1874,7 @@ func executeMetadataCheckForUser(user dataprovider.User) error { user.Username, err) return err } - if !ActiveMetadataChecks.Add(user.Username) { + if !ActiveMetadataChecks.Add(user.Username, user.Role) { eventManagerLog(logger.LevelError, "another metadata check is already in progress for user %q", user.Username) return fmt.Errorf("another metadata check is in progress for user %q", user.Username) } diff --git a/internal/common/eventmanager_test.go b/internal/common/eventmanager_test.go index 56815901..431cf7c7 100644 --- a/internal/common/eventmanager_test.go +++ b/internal/common/eventmanager_test.go @@ -645,12 +645,12 @@ func TestEventRuleActions(t *testing.T) { }, }) assert.NoError(t, err) - userGet, err := dataprovider.UserExists(username1) + userGet, err := dataprovider.UserExists(username1, "") assert.NoError(t, err) assert.Equal(t, 1, userGet.UsedQuotaFiles) assert.Equal(t, int64(4), userGet.UsedQuotaSize) // simulate another quota scan in progress - assert.True(t, QuotaScans.AddUserQuotaScan(username1)) + assert.True(t, QuotaScans.AddUserQuotaScan(username1, "")) err = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{ Names: []dataprovider.ConditionPattern{ { @@ -694,7 +694,7 @@ func TestEventRuleActions(t *testing.T) { }) assert.NoError(t, err) // simulate another metadata check in progress - assert.True(t, ActiveMetadataChecks.Add(username1)) + assert.True(t, ActiveMetadataChecks.Add(username1, "")) err = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{ Names: []dataprovider.ConditionPattern{ { @@ -850,7 +850,7 @@ func TestEventRuleActions(t *testing.T) { }, }) assert.NoError(t, err) - userGet, err = dataprovider.UserExists(username1) + userGet, err = dataprovider.UserExists(username1, "") assert.NoError(t, err) assert.Equal(t, int64(0), userGet.UsedDownloadDataTransfer) assert.Equal(t, int64(0), userGet.UsedUploadDataTransfer) @@ -948,9 +948,9 @@ func TestEventRuleActions(t *testing.T) { assert.Error(t, err) assert.Contains(t, getErrorString(err), "no file/folder compressed") - err = dataprovider.DeleteUser(username1, "", "") + err = dataprovider.DeleteUser(username1, "", "", "") assert.NoError(t, err) - err = dataprovider.DeleteUser(username2, "", "") + err = dataprovider.DeleteUser(username2, "", "", "") assert.NoError(t, err) // test folder quota reset foldername1 := "f1" @@ -1085,7 +1085,7 @@ func TestEventRuleActionsNoGroupMatching(t *testing.T) { assert.Contains(t, err.Error(), "no retention check executed") } - err = dataprovider.DeleteUser(username, "", "") + err = dataprovider.DeleteUser(username, "", "", "") assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) @@ -1147,7 +1147,7 @@ func TestGetFileContent(t *testing.T) { _, err = getMailAttachments(user, []string{"/file.txt"}, replacer) assert.Error(t, err) - err = dataprovider.DeleteUser(username, "", "") + err = dataprovider.DeleteUser(username, "", "", "") assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) @@ -1232,7 +1232,7 @@ func TestFilesystemActionErrors(t *testing.T) { assert.Error(t, err) user.FsConfig.Provider = sdk.LocalFilesystemProvider user.Permissions["/"] = []string{dataprovider.PermUpload} - err = dataprovider.DeleteUser(username, "", "") + err = dataprovider.DeleteUser(username, "", "", "") assert.NoError(t, err) err = dataprovider.AddUser(&user, "", "") assert.NoError(t, err) @@ -1344,7 +1344,7 @@ func TestFilesystemActionErrors(t *testing.T) { assert.Contains(t, getErrorString(err), "is outside base dir") } - err = dataprovider.DeleteUser(username, "", "") + err = dataprovider.DeleteUser(username, "", "", "") assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) @@ -1400,7 +1400,7 @@ func TestQuotaActionsWithQuotaTrackDisabled(t *testing.T) { err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) - err = dataprovider.DeleteUser(username, "", "") + err = dataprovider.DeleteUser(username, "", "", "") assert.NoError(t, err) foldername := "f1" diff --git a/internal/common/protocol_test.go b/internal/common/protocol_test.go index 00a46141..88901f04 100644 --- a/internal/common/protocol_test.go +++ b/internal/common/protocol_test.go @@ -3067,7 +3067,7 @@ func TestUserPasswordHashing(t *testing.T) { err = dataprovider.Initialize(providerConf, configDir, true) assert.NoError(t, err) - currentUser, err := dataprovider.UserExists(user.Username) + currentUser, err := dataprovider.UserExists(user.Username, "") assert.NoError(t, err) assert.True(t, strings.HasPrefix(currentUser.Password, "$2a$")) @@ -3088,7 +3088,7 @@ func TestUserPasswordHashing(t *testing.T) { user, _, err = httpdtest.AddUser(u, http.StatusCreated) assert.NoError(t, err) - currentUser, err = dataprovider.UserExists(user.Username) + currentUser, err = dataprovider.UserExists(user.Username, "") assert.NoError(t, err) assert.True(t, strings.HasPrefix(currentUser.Password, "$argon2id$")) @@ -3193,7 +3193,7 @@ func TestDelayedQuotaUpdater(t *testing.T) { assert.Equal(t, int64(100), ulSize) assert.Equal(t, int64(200), dlSize) - userGet, err := dataprovider.UserExists(user.Username) + userGet, err := dataprovider.UserExists(user.Username, "") assert.NoError(t, err) assert.Equal(t, 0, userGet.UsedQuotaFiles) assert.Equal(t, int64(0), userGet.UsedQuotaSize) @@ -3211,7 +3211,7 @@ func TestDelayedQuotaUpdater(t *testing.T) { assert.Equal(t, int64(100), ulSize) assert.Equal(t, int64(200), dlSize) - userGet, err = dataprovider.UserExists(user.Username) + userGet, err = dataprovider.UserExists(user.Username, "") assert.NoError(t, err) assert.Equal(t, 10, userGet.UsedQuotaFiles) assert.Equal(t, int64(6000), userGet.UsedQuotaSize) @@ -5609,7 +5609,7 @@ func TestEventRuleIPBlocked(t *testing.T) { assert.NoError(t, err) err = dataprovider.DeleteEventAction(action2.Name, "", "") assert.NoError(t, err) - err = dataprovider.DeleteUser(user.Username, "", "") + err = dataprovider.DeleteUser(user.Username, "", "", "") assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) @@ -5815,7 +5815,7 @@ func TestRetentionAPI(t *testing.T) { assert.NoError(t, err) assert.Eventually(t, func() bool { - return len(common.RetentionChecks.Get()) == 0 + return len(common.RetentionChecks.Get("")) == 0 }, 1000*time.Millisecond, 50*time.Millisecond) _, err = client.Stat(uploadPath) @@ -5828,7 +5828,7 @@ func TestRetentionAPI(t *testing.T) { assert.NoError(t, err) assert.Eventually(t, func() bool { - return len(common.RetentionChecks.Get()) == 0 + return len(common.RetentionChecks.Get("")) == 0 }, 1000*time.Millisecond, 50*time.Millisecond) _, err = client.Stat(uploadPath) @@ -5850,7 +5850,7 @@ func TestRetentionAPI(t *testing.T) { assert.NoError(t, err) assert.Eventually(t, func() bool { - return len(common.RetentionChecks.Get()) == 0 + return len(common.RetentionChecks.Get("")) == 0 }, 1000*time.Millisecond, 50*time.Millisecond) _, err = client.Stat(uploadPath) @@ -5905,7 +5905,7 @@ func TestRetentionAPI(t *testing.T) { assert.NoError(t, err) assert.Eventually(t, func() bool { - return len(common.RetentionChecks.Get()) == 0 + return len(common.RetentionChecks.Get("")) == 0 }, 1000*time.Millisecond, 50*time.Millisecond) _, err = client.Stat(uploadPath) @@ -5918,7 +5918,7 @@ func TestRetentionAPI(t *testing.T) { assert.NoError(t, err) assert.Eventually(t, func() bool { - return len(common.RetentionChecks.Get()) == 0 + return len(common.RetentionChecks.Get("")) == 0 }, 1000*time.Millisecond, 50*time.Millisecond) _, err = client.Stat(uploadPath) @@ -5940,7 +5940,7 @@ func TestRetentionAPI(t *testing.T) { assert.NoError(t, err) assert.Eventually(t, func() bool { - return len(common.RetentionChecks.Get()) == 0 + return len(common.RetentionChecks.Get("")) == 0 }, 1000*time.Millisecond, 50*time.Millisecond) _, err = client.Stat(innerUploadFilePath) @@ -5975,7 +5975,7 @@ func TestRetentionAPI(t *testing.T) { assert.NoError(t, err) assert.Eventually(t, func() bool { - return len(common.RetentionChecks.Get()) == 0 + return len(common.RetentionChecks.Get("")) == 0 }, 1000*time.Millisecond, 50*time.Millisecond) err = os.Chmod(dirPath, 0555) @@ -5985,7 +5985,7 @@ func TestRetentionAPI(t *testing.T) { assert.NoError(t, err) assert.Eventually(t, func() bool { - return len(common.RetentionChecks.Get()) == 0 + return len(common.RetentionChecks.Get("")) == 0 }, 1000*time.Millisecond, 50*time.Millisecond) err = os.Chmod(dirPath, os.ModePerm) @@ -5995,7 +5995,7 @@ func TestRetentionAPI(t *testing.T) { assert.NoError(t, err) assert.Eventually(t, func() bool { - return len(common.RetentionChecks.Get()) == 0 + return len(common.RetentionChecks.Get("")) == 0 }, 1000*time.Millisecond, 50*time.Millisecond) assert.NoDirExists(t, dirPath) diff --git a/internal/common/transferschecker_test.go b/internal/common/transferschecker_test.go index 30656d30..1311f7c2 100644 --- a/internal/common/transferschecker_test.go +++ b/internal/common/transferschecker_test.go @@ -83,7 +83,7 @@ func TestTransfersCheckerDiskQuota(t *testing.T) { assert.Equal(t, int64(120), group.UserSettings.QuotaSize) err = dataprovider.AddUser(&user, "", "") assert.NoError(t, err) - user, err = dataprovider.GetUserWithGroupSettings(username) + user, err = dataprovider.GetUserWithGroupSettings(username, "") assert.NoError(t, err) connID1 := xid.New().String() @@ -243,10 +243,10 @@ func TestTransfersCheckerDiskQuota(t *testing.T) { Connections.Remove(fakeConn3.GetID()) Connections.Remove(fakeConn4.GetID()) Connections.Remove(fakeConn5.GetID()) - stats := Connections.GetStats() + stats := Connections.GetStats("") assert.Len(t, stats, 0) - err = dataprovider.DeleteUser(user.Username, "", "") + err = dataprovider.DeleteUser(user.Username, "", "", "") assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) @@ -366,10 +366,10 @@ func TestTransferCheckerTransferQuota(t *testing.T) { Connections.Remove(fakeConn3.GetID()) Connections.Remove(fakeConn4.GetID()) - stats := Connections.GetStats() + stats := Connections.GetStats("") assert.Len(t, stats, 0) - err = dataprovider.DeleteUser(user.Username, "", "") + err = dataprovider.DeleteUser(user.Username, "", "", "") assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) @@ -671,7 +671,7 @@ func TestGetUsersForQuotaCheck(t *testing.T) { } for i := 0; i < 40; i++ { - err = dataprovider.DeleteUser(fmt.Sprintf("user%v", i), "", "") + err = dataprovider.DeleteUser(fmt.Sprintf("user%v", i), "", "", "") assert.NoError(t, err) err = dataprovider.DeleteFolder(fmt.Sprintf("f%v", i), "", "") assert.NoError(t, err) diff --git a/internal/dataprovider/actions.go b/internal/dataprovider/actions.go index 91452f64..2acf63d3 100644 --- a/internal/dataprovider/actions.go +++ b/internal/dataprovider/actions.go @@ -50,6 +50,7 @@ const ( actionObjectShare = "share" actionObjectEventAction = "event_action" actionObjectEventRule = "event_rule" + actionObjectRole = "role" ) var ( diff --git a/internal/dataprovider/admin.go b/internal/dataprovider/admin.go index 3ea459c3..d4640c42 100644 --- a/internal/dataprovider/admin.go +++ b/internal/dataprovider/admin.go @@ -56,6 +56,7 @@ const ( PermAdminMetadataChecks = "metadata_checks" PermAdminViewEvents = "view_events" PermAdminManageEventRules = "manage_event_rules" + PermAdminManageRoles = "manage_roles" ) const ( @@ -70,9 +71,11 @@ const ( var ( validAdminPerms = []string{PermAdminAny, PermAdminAddUsers, PermAdminChangeUsers, PermAdminDeleteUsers, PermAdminViewUsers, PermAdminManageGroups, PermAdminViewConnections, PermAdminCloseConnections, - PermAdminViewServerStatus, PermAdminManageAdmins, PermAdminManageAPIKeys, PermAdminQuotaScans, - PermAdminManageSystem, PermAdminManageDefender, PermAdminViewDefender, PermAdminRetentionChecks, - PermAdminMetadataChecks, PermAdminViewEvents} + PermAdminViewServerStatus, PermAdminManageAdmins, PermAdminManageRoles, PermAdminManageEventRules, + PermAdminManageAPIKeys, PermAdminQuotaScans, PermAdminManageSystem, PermAdminManageDefender, + PermAdminViewDefender, PermAdminRetentionChecks, PermAdminMetadataChecks, PermAdminViewEvents} + forbiddenPermsForRoleAdmins = []string{PermAdminAny, PermAdminManageAdmins, PermAdminManageSystem, + PermAdminManageEventRules, PermAdminManageRoles, PermAdminViewEvents} ) // AdminTOTPConfig defines the time-based one time password configuration @@ -255,6 +258,14 @@ type Admin struct { UpdatedAt int64 `json:"updated_at"` // Last login as unix timestamp in milliseconds LastLogin int64 `json:"last_login"` + // Role name. If set the admin can only administer users with the same role. + // Role admins cannot have the following permissions: + // - manage_admins + // - manage_apikeys + // - manage_system + // - manage_event_rules + // - manage_roles + Role string `json:"role,omitempty"` } // CountUnusedRecoveryCodes returns the number of unused recovery codes @@ -322,7 +333,13 @@ func (a *Admin) validatePermissions() error { } for _, perm := range a.Permissions { if !util.Contains(validAdminPerms, perm) { - return util.NewValidationError(fmt.Sprintf("invalid permission: %#v", perm)) + return util.NewValidationError(fmt.Sprintf("invalid permission: %q", perm)) + } + if a.Role != "" { + if util.Contains(forbiddenPermsForRoleAdmins, perm) { + return util.NewValidationError(fmt.Sprintf("a role admin cannot have the following permissions: %q", + strings.Join(forbiddenPermsForRoleAdmins, ","))) + } } } return nil @@ -604,6 +621,7 @@ func (a *Admin) getACopy() Admin { LastLogin: a.LastLogin, CreatedAt: a.CreatedAt, UpdatedAt: a.UpdatedAt, + Role: a.Role, } } diff --git a/internal/dataprovider/apikey.go b/internal/dataprovider/apikey.go index eab563a7..ee98838c 100644 --- a/internal/dataprovider/apikey.go +++ b/internal/dataprovider/apikey.go @@ -165,7 +165,7 @@ func (k *APIKey) validate() error { k.Admin = "" } if k.User != "" { - _, err := provider.userExists(k.User) + _, err := provider.userExists(k.User, "") if err != nil { return util.NewValidationError(fmt.Sprintf("unable to check API key user %v: %v", k.User, err)) } diff --git a/internal/dataprovider/bolt.go b/internal/dataprovider/bolt.go index 79b587b7..1962772f 100644 --- a/internal/dataprovider/bolt.go +++ b/internal/dataprovider/bolt.go @@ -35,7 +35,7 @@ import ( ) const ( - boltDatabaseVersion = 23 + boltDatabaseVersion = 24 ) var ( @@ -47,10 +47,11 @@ var ( sharesBucket = []byte("shares") actionsBucket = []byte("events_actions") rulesBucket = []byte("events_rules") + rolesBucket = []byte("roles") dbVersionBucket = []byte("db_version") dbVersionKey = []byte("version") boltBuckets = [][]byte{usersBucket, groupsBucket, foldersBucket, adminsBucket, apiKeysBucket, - sharesBucket, actionsBucket, rulesBucket, dbVersionBucket} + sharesBucket, actionsBucket, rulesBucket, rolesBucket, dbVersionBucket} ) // BoltProvider defines the auth provider for bolt key/value store @@ -105,7 +106,7 @@ func (p *BoltProvider) validateUserAndTLSCert(username, protocol string, tlsCert if tlsCert == nil { return user, errors.New("TLS certificate cannot be null or empty") } - user, err := p.userExists(username) + user, err := p.userExists(username, "") if err != nil { providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err) return user, err @@ -114,7 +115,7 @@ func (p *BoltProvider) validateUserAndTLSCert(username, protocol string, tlsCert } func (p *BoltProvider) validateUserAndPass(username, password, ip, protocol string) (User, error) { - user, err := p.userExists(username) + user, err := p.userExists(username, "") if err != nil { providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err) return user, err @@ -137,7 +138,7 @@ func (p *BoltProvider) validateUserAndPubKey(username string, pubKey []byte, isS if len(pubKey) == 0 { return user, "", errors.New("credentials cannot be null or empty") } - user, err := p.userExists(username) + user, err := p.userExists(username, "") if err != nil { providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err) return user, "", err @@ -336,7 +337,7 @@ func (p *BoltProvider) updateQuota(username string, filesAdd int, sizeAdd int64, } func (p *BoltProvider) getUsedQuota(username string) (int, int64, int64, int64, error) { - user, err := p.userExists(username) + user, err := p.userExists(username, "") if err != nil { providerLog(logger.LevelError, "unable to get quota for user %v error: %v", username, err) return 0, 0, 0, 0, err @@ -376,8 +377,12 @@ func (p *BoltProvider) addAdmin(admin *Admin) error { if err != nil { return err } + rolesBucket, err := p.getRolesBucket(tx) + if err != nil { + return err + } if a := bucket.Get([]byte(admin.Username)); a != nil { - return fmt.Errorf("admin %v already exists", admin.Username) + return fmt.Errorf("admin %q already exists", admin.Username) } id, err := bucket.NextSequence() if err != nil { @@ -393,6 +398,10 @@ func (p *BoltProvider) addAdmin(admin *Admin) error { return err } } + if err = p.addAdminToRole(admin.Username, admin.Role, rolesBucket); err != nil { + return err + } + buf, err := json.Marshal(admin) if err != nil { return err @@ -415,6 +424,10 @@ func (p *BoltProvider) updateAdmin(admin *Admin) error { if err != nil { return err } + rolesBucket, err := p.getRolesBucket(tx) + if err != nil { + return err + } var a []byte if a = bucket.Get([]byte(admin.Username)); a == nil { return util.NewRecordNotFoundError(fmt.Sprintf("admin %v does not exist", admin.Username)) @@ -425,12 +438,18 @@ func (p *BoltProvider) updateAdmin(admin *Admin) error { return err } + if err = p.removeAdminFromRole(oldAdmin.Username, oldAdmin.Role, rolesBucket); err != nil { + return err + } for idx := range oldAdmin.Groups { err = p.removeAdminFromGroupMapping(oldAdmin.Username, oldAdmin.Groups[idx].Name, groupBucket) if err != nil { return err } } + if err = p.addAdminToRole(admin.Username, admin.Role, rolesBucket); err != nil { + return err + } for idx := range admin.Groups { err = p.addAdminToGroupMapping(admin.Username, admin.Groups[idx].Name, groupBucket) if err != nil { @@ -477,6 +496,15 @@ func (p *BoltProvider) deleteAdmin(admin Admin) error { } } } + if oldAdmin.Role != "" { + rolesBucket, err := p.getRolesBucket(tx) + if err != nil { + return err + } + if err = p.removeAdminFromRole(oldAdmin.Username, oldAdmin.Role, rolesBucket); err != nil { + return err + } + } if err := p.deleteRelatedAPIKey(tx, admin.Username, APIKeyScopeAdmin); err != nil { return err @@ -560,7 +588,7 @@ func (p *BoltProvider) dumpAdmins() ([]Admin, error) { return admins, err } -func (p *BoltProvider) userExists(username string) (User, error) { +func (p *BoltProvider) userExists(username, role string) (User, error) { var user User err := p.dbHandle.View(func(tx *bolt.Tx) error { bucket, err := p.getUsersBucket(tx) @@ -569,14 +597,20 @@ func (p *BoltProvider) userExists(username string) (User, error) { } u := bucket.Get([]byte(username)) if u == nil { - return util.NewRecordNotFoundError(fmt.Sprintf("username %#v does not exist", username)) + return util.NewRecordNotFoundError(fmt.Sprintf("username %q does not exist", username)) } foldersBucket, err := p.getFoldersBucket(tx) if err != nil { return err } user, err = p.joinUserAndFolders(u, foldersBucket) - return err + if err != nil { + return err + } + if !user.hasRole(role) { + return util.NewRecordNotFoundError(fmt.Sprintf("username %q does not exist", username)) + } + return nil }) return user, err } @@ -599,6 +633,10 @@ func (p *BoltProvider) addUser(user *User) error { if err != nil { return err } + rolesBucket, err := p.getRolesBucket(tx) + if err != nil { + return err + } if u := bucket.Get([]byte(user.Username)); u != nil { return fmt.Errorf("username %v already exists", user.Username) } @@ -617,6 +655,9 @@ func (p *BoltProvider) addUser(user *User) error { user.FirstUpload = 0 user.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now()) user.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now()) + if err := p.addUserToRole(user.Username, user.Role, rolesBucket); err != nil { + return err + } for idx := range user.VirtualFolders { err = p.addRelationToFolderMapping(&user.VirtualFolders[idx].BaseVirtualFolder, user, nil, foldersBucket) if err != nil { @@ -689,6 +730,18 @@ func (p *BoltProvider) deleteUser(user User, softDelete bool) error { if err != nil { return err } + foldersBucket, err := p.getFoldersBucket(tx) + if err != nil { + return err + } + groupBucket, err := p.getGroupsBucket(tx) + if err != nil { + return err + } + rolesBucket, err := p.getRolesBucket(tx) + if err != nil { + return err + } var u []byte if u = bucket.Get([]byte(user.Username)); u == nil { return util.NewRecordNotFoundError(fmt.Sprintf("username %q does not exist", user.Username)) @@ -698,30 +751,20 @@ func (p *BoltProvider) deleteUser(user User, softDelete bool) error { if err != nil { return err } - - if len(oldUser.VirtualFolders) > 0 { - foldersBucket, err := p.getFoldersBucket(tx) + if err := p.removeUserFromRole(oldUser.Username, oldUser.Role, rolesBucket); err != nil { + return err + } + for idx := range oldUser.VirtualFolders { + err = p.removeRelationFromFolderMapping(oldUser.VirtualFolders[idx], oldUser.Username, "", foldersBucket) if err != nil { return err } - for idx := range oldUser.VirtualFolders { - err = p.removeRelationFromFolderMapping(oldUser.VirtualFolders[idx], oldUser.Username, "", foldersBucket) - if err != nil { - return err - } - } } - if len(oldUser.Groups) > 0 { - groupBucket, err := p.getGroupsBucket(tx) + for idx := range oldUser.Groups { + err = p.removeUserFromGroupMapping(oldUser.Username, oldUser.Groups[idx].Name, groupBucket) if err != nil { return err } - for idx := range oldUser.Groups { - err = p.removeUserFromGroupMapping(oldUser.Username, oldUser.Groups[idx].Name, groupBucket) - if err != nil { - return err - } - } } if err := p.deleteRelatedAPIKey(tx, user.Username, APIKeyScopeUser); err != nil { return err @@ -901,7 +944,7 @@ func (p *BoltProvider) getUsersForQuotaCheck(toFetch map[string]bool) ([]User, e return users, err } -func (p *BoltProvider) getUsers(limit int, offset int, order string) ([]User, error) { +func (p *BoltProvider) getUsers(limit int, offset int, order, role string) ([]User, error) { users := make([]User, 0, limit) var err error if limit <= 0 { @@ -928,6 +971,9 @@ func (p *BoltProvider) getUsers(limit int, offset int, order string) ([]User, er if err != nil { return err } + if !user.hasRole(role) { + continue + } user.PrepareForRendering() users = append(users, user) if len(users) >= limit { @@ -944,6 +990,9 @@ func (p *BoltProvider) getUsers(limit int, offset int, order string) ([]User, er if err != nil { return err } + if !user.hasRole(role) { + continue + } user.PrepareForRendering() users = append(users, user) if len(users) >= limit { @@ -2519,6 +2568,187 @@ func (*BoltProvider) cleanupNodes() error { return ErrNotImplemented } +func (p *BoltProvider) roleExists(name string) (Role, error) { + var role Role + err := p.dbHandle.View(func(tx *bolt.Tx) error { + bucket, err := p.getRolesBucket(tx) + if err != nil { + return err + } + r := bucket.Get([]byte(name)) + if r == nil { + return util.NewRecordNotFoundError(fmt.Sprintf("role %q does not exist", name)) + } + return json.Unmarshal(r, &role) + }) + return role, err +} + +func (p *BoltProvider) addRole(role *Role) error { + if err := role.validate(); err != nil { + return err + } + return p.dbHandle.Update(func(tx *bolt.Tx) error { + bucket, err := p.getRolesBucket(tx) + if err != nil { + return err + } + if r := bucket.Get([]byte(role.Name)); r != nil { + return fmt.Errorf("role %q already exists", role.Name) + } + id, err := bucket.NextSequence() + if err != nil { + return err + } + role.ID = int64(id) + role.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now()) + role.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now()) + role.Users = nil + role.Admins = nil + buf, err := json.Marshal(role) + if err != nil { + return err + } + return bucket.Put([]byte(role.Name), buf) + }) +} + +func (p *BoltProvider) updateRole(role *Role) error { + if err := role.validate(); err != nil { + return err + } + return p.dbHandle.Update(func(tx *bolt.Tx) error { + bucket, err := p.getRolesBucket(tx) + if err != nil { + return err + } + var r []byte + if r = bucket.Get([]byte(role.Name)); r == nil { + return fmt.Errorf("role %q does not exist", role.Name) + } + var oldRole Role + err = json.Unmarshal(r, &oldRole) + if err != nil { + return err + } + role.ID = oldRole.ID + role.CreatedAt = oldRole.CreatedAt + role.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now()) + role.Users = oldRole.Users + role.Admins = oldRole.Admins + buf, err := json.Marshal(role) + if err != nil { + return err + } + return bucket.Put([]byte(role.Name), buf) + }) +} + +func (p *BoltProvider) deleteRole(role Role) error { + return p.dbHandle.Update(func(tx *bolt.Tx) error { + bucket, err := p.getRolesBucket(tx) + if err != nil { + return err + } + var r []byte + if r = bucket.Get([]byte(role.Name)); r == nil { + return fmt.Errorf("role %q does not exist", role.Name) + } + var oldRole Role + err = json.Unmarshal(r, &oldRole) + if err != nil { + return err + } + if len(oldRole.Admins) > 0 { + return util.NewValidationError(fmt.Sprintf("the role %q is referenced, it cannot be removed", oldRole.Name)) + } + if len(oldRole.Users) > 0 { + bucket, err := p.getUsersBucket(tx) + if err != nil { + return err + } + for _, username := range oldRole.Users { + if err := p.removeRoleFromUser(username, oldRole.Name, bucket); err != nil { + return err + } + } + } + + return bucket.Delete([]byte(role.Name)) + }) +} + +func (p *BoltProvider) getRoles(limit int, offset int, order string, minimal bool) ([]Role, error) { + roles := make([]Role, 0, limit) + if limit <= 0 { + return roles, nil + } + err := p.dbHandle.View(func(tx *bolt.Tx) error { + bucket, err := p.getRolesBucket(tx) + if err != nil { + return err + } + cursor := bucket.Cursor() + itNum := 0 + if order == OrderASC { + for k, v := cursor.First(); k != nil; k, v = cursor.Next() { + itNum++ + if itNum <= offset { + continue + } + var role Role + err = json.Unmarshal(v, &role) + if err != nil { + return err + } + roles = append(roles, role) + if len(roles) >= limit { + break + } + } + } else { + for k, v := cursor.Last(); k != nil; k, v = cursor.Prev() { + itNum++ + if itNum <= offset { + continue + } + var role Role + err = json.Unmarshal(v, &role) + if err != nil { + return err + } + roles = append(roles, role) + if len(roles) >= limit { + break + } + } + } + return nil + }) + return roles, err +} + +func (p *BoltProvider) dumpRoles() ([]Role, error) { + roles := make([]Role, 0, 10) + err := p.dbHandle.View(func(tx *bolt.Tx) error { + bucket, err := p.getRolesBucket(tx) + if err != nil { + return err + } + cursor := bucket.Cursor() + for k, v := cursor.First(); k != nil; k, v = cursor.Next() { + var role Role + err = json.Unmarshal(v, &role) + if err != nil { + return err + } + roles = append(roles, role) + } + return err + }) + return roles, err +} + func (p *BoltProvider) setFirstDownloadTimestamp(username string) error { return p.dbHandle.Update(func(tx *bolt.Tx) error { bucket, err := p.getUsersBucket(tx) @@ -2603,6 +2833,10 @@ func (p *BoltProvider) migrateDatabase() error { providerLog(logger.LevelError, "%v", err) logger.ErrorToConsole("%v", err) return err + case version == 23: + logger.InfoToConsole(fmt.Sprintf("updating database schema version: %d -> 24", version)) + providerLog(logger.LevelInfo, "updating database schema version: %d -> 24", version) + return updateBoltDatabaseVersion(p.dbHandle, 24) default: if version > boltDatabaseVersion { providerLog(logger.LevelError, "database schema version %d is newer than the supported one: %d", version, @@ -2624,6 +2858,44 @@ func (p *BoltProvider) revertDatabase(targetVersion int) error { return errors.New("current version match target version, nothing to do") } switch dbVersion.Version { + case 24: + logger.InfoToConsole("downgrading database schema version: %d -> 23", dbVersion.Version) + providerLog(logger.LevelInfo, "downgrading database schema version: %d -> 23", dbVersion.Version) + err := p.dbHandle.Update(func(tx *bolt.Tx) error { + roles, err := p.dumpRoles() + if err != nil { + return err + } + adminsBucket, err := p.getAdminsBucket(tx) + if err != nil { + return err + } + usersBucket, err := p.getUsersBucket(tx) + if err != nil { + return err + } + for _, role := range roles { + for _, admin := range role.Admins { + if err := p.removeRoleFromAdmin(admin, role.Name, adminsBucket); err != nil { + return err + } + } + for _, user := range role.Users { + if err := p.removeRoleFromUser(user, role.Name, usersBucket); err != nil { + return err + } + } + } + err = tx.DeleteBucket(rolesBucket) + if err != nil && !errors.Is(err, bolt.ErrBucketNotFound) { + return err + } + return nil + }) + if err != nil { + return err + } + return updateBoltDatabaseVersion(p.dbHandle, 23) default: return fmt.Errorf("database schema version not handled: %v", dbVersion.Version) } @@ -2748,6 +3020,163 @@ func (p *BoltProvider) addFolderInternal(folder vfs.BaseVirtualFolder, bucket *b return bucket.Put([]byte(folder.Name), buf) } +func (p *BoltProvider) removeRoleFromUser(username, role string, bucket *bolt.Bucket) error { + u := bucket.Get([]byte(username)) + if u == nil { + providerLog(logger.LevelWarn, "user %q does not exist, cannot remove role %q", username, role) + return nil + } + var user User + err := json.Unmarshal(u, &user) + if err != nil { + return err + } + if user.Role == role { + user.Role = "" + buf, err := json.Marshal(user) + if err != nil { + return err + } + return bucket.Put([]byte(user.Username), buf) + } + providerLog(logger.LevelError, "user %q does not have the expected role %q, actual %q", username, role, user.Role) + return nil +} + +func (p *BoltProvider) removeRoleFromAdmin(username, role string, bucket *bolt.Bucket) error { + a := bucket.Get([]byte(username)) + if a == nil { + providerLog(logger.LevelWarn, "admin %q does not exist, cannot remove role %q", username, role) + return nil + } + var admin Admin + err := json.Unmarshal(a, &admin) + if err != nil { + return err + } + if admin.Role == role { + admin.Role = "" + buf, err := json.Marshal(admin) + if err != nil { + return err + } + return bucket.Put([]byte(admin.Username), buf) + } + providerLog(logger.LevelError, "admin %q does not have the expected role %q, actual %q", username, role, admin.Role) + return nil +} + +func (p *BoltProvider) addAdminToRole(username, roleName string, bucket *bolt.Bucket) error { + if roleName == "" { + return nil + } + r := bucket.Get([]byte(roleName)) + if r == nil { + return util.NewGenericError(fmt.Sprintf("role %q does not exist", roleName)) + } + var role Role + err := json.Unmarshal(r, &role) + if err != nil { + return err + } + if !util.Contains(role.Admins, username) { + role.Admins = append(role.Admins, username) + buf, err := json.Marshal(role) + if err != nil { + return err + } + return bucket.Put([]byte(role.Name), buf) + } + return nil +} + +func (p *BoltProvider) removeAdminFromRole(username, roleName string, bucket *bolt.Bucket) error { + if roleName == "" { + return nil + } + r := bucket.Get([]byte(roleName)) + if r == nil { + providerLog(logger.LevelWarn, "role %q does not exist, cannot remove admin %q", roleName, username) + return nil + } + var role Role + err := json.Unmarshal(r, &role) + if err != nil { + return err + } + if util.Contains(role.Admins, username) { + var admins []string + for _, admin := range role.Admins { + if admin != username { + admins = append(admins, admin) + } + } + role.Admins = util.RemoveDuplicates(admins, false) + buf, err := json.Marshal(role) + if err != nil { + return err + } + return bucket.Put([]byte(role.Name), buf) + } + return nil +} + +func (p *BoltProvider) addUserToRole(username, roleName string, bucket *bolt.Bucket) error { + if roleName == "" { + return nil + } + r := bucket.Get([]byte(roleName)) + if r == nil { + return util.NewGenericError(fmt.Sprintf("role %q does not exist", roleName)) + } + var role Role + err := json.Unmarshal(r, &role) + if err != nil { + return err + } + if !util.Contains(role.Users, username) { + role.Users = append(role.Users, username) + buf, err := json.Marshal(role) + if err != nil { + return err + } + return bucket.Put([]byte(role.Name), buf) + } + return nil +} + +func (p *BoltProvider) removeUserFromRole(username, roleName string, bucket *bolt.Bucket) error { + if roleName == "" { + return nil + } + r := bucket.Get([]byte(roleName)) + if r == nil { + providerLog(logger.LevelWarn, "role %q does not exist, cannot remove admin %q", roleName, username) + return nil + } + var role Role + err := json.Unmarshal(r, &role) + if err != nil { + return err + } + if util.Contains(role.Users, username) { + var users []string + for _, user := range role.Users { + if user != username { + users = append(users, user) + } + } + users = util.RemoveDuplicates(users, false) + role.Users = users + buf, err := json.Marshal(role) + if err != nil { + return err + } + return bucket.Put([]byte(role.Name), buf) + } + return nil +} + func (p *BoltProvider) addRuleToActionMapping(ruleName, actionName string, bucket *bolt.Bucket) error { a := bucket.Get([]byte(actionName)) if a == nil { @@ -3000,7 +3429,11 @@ func (p *BoltProvider) updateUserRelations(tx *bolt.Tx, user *User, oldUser User if err != nil { return err } - groupBucket, err := p.getGroupsBucket(tx) + groupsBucket, err := p.getGroupsBucket(tx) + if err != nil { + return err + } + rolesBucket, err := p.getRolesBucket(tx) if err != nil { return err } @@ -3011,11 +3444,14 @@ func (p *BoltProvider) updateUserRelations(tx *bolt.Tx, user *User, oldUser User } } for idx := range oldUser.Groups { - err = p.removeUserFromGroupMapping(user.Username, oldUser.Groups[idx].Name, groupBucket) + err = p.removeUserFromGroupMapping(user.Username, oldUser.Groups[idx].Name, groupsBucket) if err != nil { return err } } + if err = p.removeUserFromRole(oldUser.Username, oldUser.Role, rolesBucket); err != nil { + return err + } for idx := range user.VirtualFolders { err = p.addRelationToFolderMapping(&user.VirtualFolders[idx].BaseVirtualFolder, user, nil, foldersBucket) if err != nil { @@ -3023,12 +3459,12 @@ func (p *BoltProvider) updateUserRelations(tx *bolt.Tx, user *User, oldUser User } } for idx := range user.Groups { - err = p.addUserToGroupMapping(user.Username, user.Groups[idx].Name, groupBucket) + err = p.addUserToGroupMapping(user.Username, user.Groups[idx].Name, groupsBucket) if err != nil { return err } } - return nil + return p.addUserToRole(user.Username, user.Role, rolesBucket) } func (p *BoltProvider) adminExistsInternal(tx *bolt.Tx, username string) error { @@ -3163,6 +3599,15 @@ func (p *BoltProvider) getGroupsBucket(tx *bolt.Tx) (*bolt.Bucket, error) { return bucket, err } +func (p *BoltProvider) getRolesBucket(tx *bolt.Tx) (*bolt.Bucket, error) { + var err error + bucket := tx.Bucket(rolesBucket) + if bucket == nil { + err = fmt.Errorf("unable to find roles bucket, bolt database structure not correcly defined") + } + return bucket, err +} + func (p *BoltProvider) getFoldersBucket(tx *bolt.Tx) (*bolt.Bucket, error) { var err error bucket := tx.Bucket(foldersBucket) @@ -3209,7 +3654,7 @@ func getBoltDatabaseVersion(dbHandle *bolt.DB) (schemaVersion, error) { return dbVersion, err } -/*func updateBoltDatabaseVersion(dbHandle *bolt.DB, version int) error { +func updateBoltDatabaseVersion(dbHandle *bolt.DB, version int) error { err := dbHandle.Update(func(tx *bolt.Tx) error { bucket := tx.Bucket(dbVersionBucket) if bucket == nil { @@ -3225,4 +3670,4 @@ func getBoltDatabaseVersion(dbHandle *bolt.DB) (schemaVersion, error) { return bucket.Put(dbVersionKey, buf) }) return err -}*/ +} diff --git a/internal/dataprovider/dataprovider.go b/internal/dataprovider/dataprovider.go index 78774b18..86950af2 100644 --- a/internal/dataprovider/dataprovider.go +++ b/internal/dataprovider/dataprovider.go @@ -87,7 +87,7 @@ const ( CockroachDataProviderName = "cockroachdb" // DumpVersion defines the version for the dump. // For restore/load we support the current version and the previous one - DumpVersion = 13 + DumpVersion = 14 argonPwdPrefix = "$argon2id$" bcryptPwdPrefix = "$2a$" @@ -190,6 +190,7 @@ var ( sqlTableRulesActionsMapping string sqlTableTasks string sqlTableNodes string + sqlTableRoles string sqlTableSchemaVersion string argon2Params *argon2id.Params lastLoginMinDelay = 10 * time.Minute @@ -221,6 +222,7 @@ func initSQLTables() { sqlTableRulesActionsMapping = "rules_actions_mapping" sqlTableTasks = "tasks" sqlTableNodes = "nodes" + sqlTableRoles = "roles" sqlTableSchemaVersion = "schema_version" } @@ -660,6 +662,7 @@ type BackupData struct { Shares []Share `json:"shares"` EventActions []BaseEventAction `json:"event_actions"` EventRules []EventRule `json:"event_rules"` + Roles []Role `json:"roles"` Version int `json:"version"` } @@ -706,12 +709,12 @@ type Provider interface { updateQuota(username string, filesAdd int, sizeAdd int64, reset bool) error updateTransferQuota(username string, uploadSize, downloadSize int64, reset bool) error getUsedQuota(username string) (int, int64, int64, int64, error) - userExists(username string) (User, error) + userExists(username, role string) (User, error) addUser(user *User) error updateUser(user *User) error deleteUser(user User, softDelete bool) error updateUserPassword(username, password string) error - getUsers(limit int, offset int, order string) ([]User, error) + getUsers(limit int, offset int, order, role string) ([]User, error) dumpUsers() ([]User, error) getRecentlyUpdatedUsers(after int64) ([]User, error) getUsersForQuotaCheck(toFetch map[string]bool) ([]User, error) @@ -796,6 +799,12 @@ type Provider interface { getNodes() ([]Node, error) updateNodeTimestamp() error cleanupNodes() error + roleExists(name string) (Role, error) + addRole(role *Role) error + updateRole(role *Role) error + deleteRole(role Role) error + getRoles(limit int, offset int, order string, minimal bool) ([]Role, error) + dumpRoles() ([]Role, error) checkAvailability() error close() error reloadConfig() error @@ -974,16 +983,17 @@ func validateSQLTablesPrefix() error { sqlTableRulesActionsMapping = config.SQLTablesPrefix + sqlTableRulesActionsMapping sqlTableTasks = config.SQLTablesPrefix + sqlTableTasks sqlTableNodes = config.SQLTablesPrefix + sqlTableNodes + sqlTableRoles = config.SQLTablesPrefix + sqlTableRoles sqlTableSchemaVersion = config.SQLTablesPrefix + sqlTableSchemaVersion providerLog(logger.LevelDebug, "sql table for users %q, folders %q users folders mapping %q admins %q "+ "api keys %q shares %q defender hosts %q defender events %q transfers %q groups %q "+ "users groups mapping %q admins groups mapping %q groups folders mapping %q shared sessions %q "+ - "schema version %q events actions %q events rules %q rules actions mapping %q tasks %q nodes %q", + "schema version %q events actions %q events rules %q rules actions mapping %q tasks %q nodes %q roles %q", sqlTableUsers, sqlTableFolders, sqlTableUsersFoldersMapping, sqlTableAdmins, sqlTableAPIKeys, sqlTableShares, sqlTableDefenderHosts, sqlTableDefenderEvents, sqlTableActiveTransfers, sqlTableGroups, sqlTableUsersGroupsMapping, sqlTableAdminsGroupsMapping, sqlTableGroupsFoldersMapping, sqlTableSharedSessions, sqlTableSchemaVersion, sqlTableEventsActions, sqlTableEventsRules, sqlTableRulesActionsMapping, - sqlTableTasks, sqlTableNodes) + sqlTableTasks, sqlTableNodes, sqlTableRoles) } return nil } @@ -1158,7 +1168,7 @@ func CheckUserBeforeTLSAuth(username, ip, protocol string, tlsCert *x509.Certifi err = user.LoadAndApplyGroupSettings() return user, err } - user, err := UserExists(username) + user, err := UserExists(username, "") if err != nil { return user, err } @@ -1261,7 +1271,7 @@ func CheckKeyboardInteractiveAuth(username, authHook string, client ssh.Keyboard } else if config.PreLoginHook != "" { user, err = executePreLoginHook(username, SSHLoginMethodKeyboardInteractive, ip, protocol, nil) } else { - user, err = provider.userExists(username) + user, err = provider.userExists(username, "") } if err != nil { return user, err @@ -1279,7 +1289,7 @@ func GetFTPPreAuthUser(username, ip string) (User, error) { if config.PreLoginHook != "" { user, err = executePreLoginHook(username, "", ip, protocolFTP, nil) } else { - user, err = UserExists(username) + user, err = UserExists(username, "") } if err != nil { return user, err @@ -1298,7 +1308,7 @@ func GetUserAfterIDPAuth(username, ip, protocol string, oidcTokenFields *map[str if config.PreLoginHook != "" { user, err = executePreLoginHook(username, LoginMethodIDP, ip, protocol, oidcTokenFields) } else { - user, err = UserExists(username) + user, err = UserExists(username, "") } if err != nil { return user, err @@ -1532,6 +1542,57 @@ func ShareExists(shareID, username string) (Share, error) { return provider.shareExists(shareID, username) } +// AddRole adds a new role +func AddRole(role *Role, executor, ipAddress string) error { + role.Name = config.convertName(role.Name) + err := provider.addRole(role) + if err == nil { + executeAction(operationAdd, executor, ipAddress, actionObjectRole, role.Name, role) + } + return err +} + +// UpdateRole updates an existing Role +func UpdateRole(role *Role, executor, ipAddress string) error { + err := provider.updateRole(role) + if err == nil { + executeAction(operationUpdate, executor, ipAddress, actionObjectRole, role.Name, role) + } + return err +} + +// DeleteRole deletes an existing Role +func DeleteRole(name string, executor, ipAddress string) error { + name = config.convertName(name) + role, err := provider.roleExists(name) + if err != nil { + return err + } + if len(role.Admins) > 0 { + errorString := fmt.Sprintf("the role %q is referenced, it cannot be removed", role.Name) + return util.NewValidationError(errorString) + } + err = provider.deleteRole(role) + if err == nil { + executeAction(operationDelete, executor, ipAddress, actionObjectRole, role.Name, &role) + for _, user := range role.Users { + provider.setUpdatedAt(user) + u, err := provider.userExists(user, "") + if err == nil { + webDAVUsersCache.swap(&u) + executeAction(operationUpdate, executor, ipAddress, actionObjectUser, u.Username, &u) + } + } + } + return err +} + +// RoleExists returns the Role with the given name if it exists +func RoleExists(name string) (Role, error) { + name = config.convertName(name) + return provider.roleExists(name) +} + // AddGroup adds a new group func AddGroup(group *Group, executor, ipAddress string) error { group.Name = config.convertName(group.Name) @@ -1548,7 +1609,7 @@ func UpdateGroup(group *Group, users []string, executor, ipAddress string) error if err == nil { for _, user := range users { provider.setUpdatedAt(user) - u, err := provider.userExists(user) + u, err := provider.userExists(user, "") if err == nil { webDAVUsersCache.swap(&u) executeAction(operationUpdate, executor, ipAddress, actionObjectUser, u.Username, &u) @@ -1569,14 +1630,14 @@ func DeleteGroup(name string, executor, ipAddress string) error { return err } if len(group.Users) > 0 { - errorString := fmt.Sprintf("the group %#v is referenced, it cannot be removed", group.Name) + errorString := fmt.Sprintf("the group %q is referenced, it cannot be removed", group.Name) return util.NewValidationError(errorString) } err = provider.deleteGroup(group) if err == nil { for _, user := range group.Users { provider.setUpdatedAt(user) - u, err := provider.userExists(user) + u, err := provider.userExists(user, "") if err == nil { executeAction(operationUpdate, executor, ipAddress, actionObjectUser, u.Username, &u) } @@ -1840,16 +1901,16 @@ func AdminExists(username string) (Admin, error) { } // UserExists checks if the given SFTPGo username exists, returns an error if no match is found -func UserExists(username string) (User, error) { +func UserExists(username, role string) (User, error) { username = config.convertName(username) - return provider.userExists(username) + return provider.userExists(username, role) } // GetUserWithGroupSettings tries to return the user with the specified username // loading also the group settings -func GetUserWithGroupSettings(username string) (User, error) { +func GetUserWithGroupSettings(username, role string) (User, error) { username = config.convertName(username) - user, err := provider.userExists(username) + user, err := provider.userExists(username, role) if err != nil { return user, err } @@ -1859,9 +1920,9 @@ func GetUserWithGroupSettings(username string) (User, error) { // GetUserVariants tries to return the user with the specified username with and without // group settings applied -func GetUserVariants(username string) (User, User, error) { +func GetUserVariants(username, role string) (User, User, error) { username = config.convertName(username) - user, err := provider.userExists(username) + user, err := provider.userExists(username, role) if err != nil { return user, User{}, err } @@ -1872,10 +1933,6 @@ func GetUserVariants(username string) (User, User, error) { // AddUser adds a new SFTPGo user. func AddUser(user *User, executor, ipAddress string) error { - user.Filters.RecoveryCodes = nil - user.Filters.TOTPConfig = UserTOTPConfig{ - Enabled: false, - } user.Username = config.convertName(user.Username) err := provider.addUser(user) if err == nil { @@ -1914,9 +1971,9 @@ func UpdateUser(user *User, executor, ipAddress string) error { } // DeleteUser deletes an existing SFTPGo user. -func DeleteUser(username, executor, ipAddress string) error { +func DeleteUser(username, executor, ipAddress, role string) error { username = config.convertName(username) - user, err := provider.userExists(username) + user, err := provider.userExists(username, role) if err != nil { return err } @@ -2028,14 +2085,19 @@ func GetAdmins(limit, offset int, order string) ([]Admin, error) { return provider.getAdmins(limit, offset, order) } +// GetRoles returns an array of roles respecting limit and offset +func GetRoles(limit, offset int, order string, minimal bool) ([]Role, error) { + return provider.getRoles(limit, offset, order, minimal) +} + // GetGroups returns an array of groups respecting limit and offset func GetGroups(limit, offset int, order string, minimal bool) ([]Group, error) { return provider.getGroups(limit, offset, order, minimal) } // GetUsers returns an array of users respecting limit and offset -func GetUsers(limit, offset int, order string) ([]User, error) { - return provider.getUsers(limit, offset, order) +func GetUsers(limit, offset int, order, role string) ([]User, error) { + return provider.getUsers(limit, offset, order, role) } // GetUsersForQuotaCheck returns the users with the fields required for a quota check @@ -2067,7 +2129,7 @@ func UpdateFolder(folder *vfs.BaseVirtualFolder, users []string, groups []string } for _, user := range users { provider.setUpdatedAt(user) - u, err := provider.userExists(user) + u, err := provider.userExists(user, "") if err == nil { webDAVUsersCache.swap(&u) executeAction(operationUpdate, executor, ipAddress, actionObjectUser, u.Username, &u) @@ -2099,7 +2161,7 @@ func DeleteFolder(folderName, executor, ipAddress string) error { } for _, user := range users { provider.setUpdatedAt(user) - u, err := provider.userExists(user) + u, err := provider.userExists(user, "") if err == nil { executeAction(operationUpdate, executor, ipAddress, actionObjectUser, u.Username, &u) } @@ -2166,6 +2228,10 @@ func DumpData() (BackupData, error) { if err != nil { return data, err } + roles, err := provider.dumpRoles() + if err != nil { + return data, err + } data.Users = users data.Groups = groups data.Folders = folders @@ -2174,6 +2240,7 @@ func DumpData() (BackupData, error) { data.Shares = shares data.EventActions = actions data.EventRules = rules + data.Roles = roles data.Version = DumpVersion return data, err } @@ -2749,7 +2816,7 @@ func validateBaseParams(user *User) error { return util.NewValidationError(fmt.Sprintf("email %#v is not valid", user.Email)) } if config.NamingRules&1 == 0 && !usernameRegex.MatchString(user.Username) { - return util.NewValidationError(fmt.Sprintf("username %#v is not valid, the following characters are allowed: a-zA-Z0-9-_.~", + return util.NewValidationError(fmt.Sprintf("username %q is not valid, the following characters are allowed: a-zA-Z0-9-_.~", user.Username)) } if user.hasRedactedSecret() { @@ -2821,7 +2888,7 @@ func ValidateFolder(folder *vfs.BaseVirtualFolder) error { return util.NewValidationError("folder name is mandatory") } if config.NamingRules&1 == 0 && !usernameRegex.MatchString(folder.Name) { - return util.NewValidationError(fmt.Sprintf("folder name %#v is not valid, the following characters are allowed: a-zA-Z0-9-_.~", + return util.NewValidationError(fmt.Sprintf("folder name %q is not valid, the following characters are allowed: a-zA-Z0-9-_.~", folder.Name)) } if folder.FsConfig.Provider == sdk.LocalFilesystemProvider || folder.FsConfig.Provider == sdk.CryptedFilesystemProvider || @@ -3671,7 +3738,7 @@ func executePreLoginHook(username, loginMethod, ip, protocol string, oidcTokenFi } providerLog(logger.LevelDebug, "user %#v added/updated from pre-login hook response, id: %v", username, userID) if userID == 0 { - return provider.userExists(username) + return provider.userExists(username, "") } return u, nil } @@ -3875,7 +3942,7 @@ func doExternalAuth(username, password string, pubKey []byte, keyboardInteractiv // returns "user" in both cases, so we use the username returned from // external auth and not the one used to login if user.Username != username { - u, err = provider.userExists(user.Username) + u, err = provider.userExists(user.Username, "") } if u.ID > 0 && err == nil { user.ID = u.ID @@ -3903,7 +3970,7 @@ func doExternalAuth(username, password string, pubKey []byte, keyboardInteractiv if err != nil { return user, err } - return provider.userExists(user.Username) + return provider.userExists(user.Username, "") } func doPluginAuth(username, password string, pubKey []byte, ip, protocol string, @@ -3975,11 +4042,11 @@ func doPluginAuth(username, password string, pubKey []byte, ip, protocol string, if err != nil { return user, err } - return provider.userExists(user.Username) + return provider.userExists(user.Username, "") } func getUserForHook(username string, oidcTokenFields *map[string]any) (User, User, error) { - u, err := provider.userExists(username) + u, err := provider.userExists(username, "") if err != nil { if _, ok := err.(*util.RecordNotFoundError); !ok { return u, u, err diff --git a/internal/dataprovider/group.go b/internal/dataprovider/group.go index 3fbc82b8..8f91d0ea 100644 --- a/internal/dataprovider/group.go +++ b/internal/dataprovider/group.go @@ -138,7 +138,7 @@ func (g *Group) validate() error { return util.NewValidationError("name is mandatory") } if config.NamingRules&1 == 0 && !usernameRegex.MatchString(g.Name) { - return util.NewValidationError(fmt.Sprintf("name %#v is not valid, the following characters are allowed: a-zA-Z0-9-_.~", g.Name)) + return util.NewValidationError(fmt.Sprintf("name %q is not valid, the following characters are allowed: a-zA-Z0-9-_.~", g.Name)) } if g.hasRedactedSecret() { return util.NewValidationError("cannot save a user with a redacted secret") diff --git a/internal/dataprovider/memory.go b/internal/dataprovider/memory.go index 6159b870..811846cf 100644 --- a/internal/dataprovider/memory.go +++ b/internal/dataprovider/memory.go @@ -70,6 +70,10 @@ type memoryProviderHandle struct { rules map[string]EventRule // slice with ordered rules rulesNames []string + // map for roles, name is the key + roles map[string]Role + // slice with ordered roles + roleNames []string } // MemoryProvider defines the auth provider for a memory store @@ -104,6 +108,8 @@ func initializeMemoryProvider(basePath string) { actionsNames: []string{}, rules: make(map[string]EventRule), rulesNames: []string{}, + roles: map[string]Role{}, + roleNames: []string{}, configFile: configFile, }, } @@ -137,7 +143,7 @@ func (p *MemoryProvider) validateUserAndTLSCert(username, protocol string, tlsCe if tlsCert == nil { return user, errors.New("TLS certificate cannot be null or empty") } - user, err := p.userExists(username) + user, err := p.userExists(username, "") if err != nil { providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err) return user, err @@ -146,7 +152,7 @@ func (p *MemoryProvider) validateUserAndTLSCert(username, protocol string, tlsCe } func (p *MemoryProvider) validateUserAndPass(username, password, ip, protocol string) (User, error) { - user, err := p.userExists(username) + user, err := p.userExists(username, "") if err != nil { providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err) return user, err @@ -159,7 +165,7 @@ func (p *MemoryProvider) validateUserAndPubKey(username string, pubKey []byte, i if len(pubKey) == 0 { return user, "", errors.New("credentials cannot be null or empty") } - user, err := p.userExists(username) + user, err := p.userExists(username, "") if err != nil { providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err) return user, "", err @@ -317,7 +323,7 @@ func (p *MemoryProvider) addUser(user *User) error { _, err = p.userExistsInternal(user.Username) if err == nil { - return fmt.Errorf("username %#v already exists", user.Username) + return fmt.Errorf("username %q already exists", user.Username) } user.ID = p.getNextID() user.LastQuotaUpdate = 0 @@ -330,6 +336,9 @@ func (p *MemoryProvider) addUser(user *User) error { user.FirstDownload = 0 user.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now()) user.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now()) + if err := p.addUserToRole(user.Username, user.Role); err != nil { + return err + } var mappedGroups []string for idx := range user.Groups { if err = p.addUserToGroupMapping(user.Username, user.Groups[idx].Name); err != nil { @@ -366,6 +375,15 @@ func (p *MemoryProvider) updateUser(user *User) error { if err != nil { return err } + p.removeUserFromRole(u.Username, u.Role) + if err := p.addUserToRole(user.Username, user.Role); err != nil { + // try ro add old role + if errRollback := p.addUserToRole(u.Username, u.Role); errRollback != nil { + providerLog(logger.LevelError, "unable to rollback old role %q for user %q, error: %v", + u.Role, u.Username, errRollback) + } + return err + } for idx := range u.Groups { p.removeUserFromGroupMapping(u.Username, u.Groups[idx].Name) } @@ -412,6 +430,7 @@ func (p *MemoryProvider) deleteUser(user User, softDelete bool) error { if err != nil { return err } + p.removeUserFromRole(u.Username, u.Role) for _, oldFolder := range u.VirtualFolders { p.removeRelationFromFolderMapping(oldFolder.Name, u.Username, "") } @@ -546,7 +565,7 @@ func (p *MemoryProvider) getUsersForQuotaCheck(toFetch map[string]bool) ([]User, return users, nil } -func (p *MemoryProvider) getUsers(limit int, offset int, order string) ([]User, error) { +func (p *MemoryProvider) getUsers(limit int, offset int, order, role string) ([]User, error) { users := make([]User, 0, limit) var err error p.dbHandle.Lock() @@ -566,6 +585,9 @@ func (p *MemoryProvider) getUsers(limit int, offset int, order string) ([]User, } u := p.dbHandle.users[username] user := u.getACopy() + if !user.hasRole(role) { + continue + } p.addVirtualFoldersToUser(&user) user.PrepareForRendering() users = append(users, user) @@ -582,6 +604,9 @@ func (p *MemoryProvider) getUsers(limit int, offset int, order string) ([]User, username := p.dbHandle.usernames[i] u := p.dbHandle.users[username] user := u.getACopy() + if !user.hasRole(role) { + continue + } p.addVirtualFoldersToUser(&user) user.PrepareForRendering() users = append(users, user) @@ -593,7 +618,7 @@ func (p *MemoryProvider) getUsers(limit int, offset int, order string) ([]User, return users, err } -func (p *MemoryProvider) userExists(username string) (User, error) { +func (p *MemoryProvider) userExists(username, role string) (User, error) { p.dbHandle.Lock() defer p.dbHandle.Unlock() if p.dbHandle.isClosed { @@ -603,6 +628,9 @@ func (p *MemoryProvider) userExists(username string) (User, error) { if err != nil { return user, err } + if !user.hasRole(role) { + return User{}, util.NewRecordNotFoundError(fmt.Sprintf("username %q does not exist", username)) + } p.addVirtualFoldersToUser(&user) return user, nil } @@ -635,6 +663,13 @@ func (p *MemoryProvider) ruleExistsInternal(name string) (EventRule, error) { return EventRule{}, util.NewRecordNotFoundError(fmt.Sprintf("event rule %q does not exist", name)) } +func (p *MemoryProvider) roleExistsInternal(name string) (Role, error) { + if val, ok := p.dbHandle.roles[name]; ok { + return val.getACopy(), nil + } + return Role{}, util.NewRecordNotFoundError(fmt.Sprintf("role %q does not exist", name)) +} + func (p *MemoryProvider) addAdmin(admin *Admin) error { p.dbHandle.Lock() defer p.dbHandle.Unlock() @@ -653,6 +688,9 @@ func (p *MemoryProvider) addAdmin(admin *Admin) error { admin.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now()) admin.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now()) admin.LastLogin = 0 + if err := p.addAdminToRole(admin.Username, admin.Role); err != nil { + return err + } var mappedAdmins []string for idx := range admin.Groups { if err = p.addAdminToGroupMapping(admin.Username, admin.Groups[idx].Name); err != nil { @@ -684,6 +722,15 @@ func (p *MemoryProvider) updateAdmin(admin *Admin) error { if err != nil { return err } + p.removeAdminFromRole(a.Username, a.Role) + if err := p.addAdminToRole(admin.Username, admin.Role); err != nil { + // try ro add old role + if errRollback := p.addAdminToRole(a.Username, a.Role); errRollback != nil { + providerLog(logger.LevelError, "unable to rollback old role %q for admin %q, error: %v", + a.Role, a.Username, errRollback) + } + return err + } for idx := range a.Groups { p.removeAdminFromGroupMapping(a.Username, a.Groups[idx].Name) } @@ -717,6 +764,7 @@ func (p *MemoryProvider) deleteAdmin(admin Admin) error { if err != nil { return err } + p.removeAdminFromRole(a.Username, a.Role) for idx := range a.Groups { p.removeAdminFromGroupMapping(a.Username, a.Groups[idx].Name) } @@ -1183,6 +1231,74 @@ func (p *MemoryProvider) removeUserFromGroupMapping(username, groupname string) p.dbHandle.groups[groupname] = g } +func (p *MemoryProvider) addAdminToRole(username, role string) error { + if role == "" { + return nil + } + r, err := p.roleExistsInternal(role) + if err != nil { + return util.NewGenericError(fmt.Sprintf("role %q does not exist", role)) + } + if !util.Contains(r.Admins, username) { + r.Admins = append(r.Admins, username) + p.dbHandle.roles[role] = r + } + return nil +} + +func (p *MemoryProvider) removeAdminFromRole(username, role string) { + if role == "" { + return + } + r, err := p.roleExistsInternal(role) + if err != nil { + providerLog(logger.LevelWarn, "role %q does not exist, cannot remove admin %q", role, username) + return + } + var admins []string + for _, a := range r.Admins { + if a != username { + admins = append(admins, a) + } + } + r.Admins = admins + p.dbHandle.roles[role] = r +} + +func (p *MemoryProvider) addUserToRole(username, role string) error { + if role == "" { + return nil + } + r, err := p.roleExistsInternal(role) + if err != nil { + return util.NewGenericError(fmt.Sprintf("role %q does not exist", role)) + } + if !util.Contains(r.Users, username) { + r.Users = append(r.Users, username) + p.dbHandle.roles[role] = r + } + return nil +} + +func (p *MemoryProvider) removeUserFromRole(username, role string) { + if role == "" { + return + } + r, err := p.roleExistsInternal(role) + if err != nil { + providerLog(logger.LevelWarn, "role %q does not exist, cannot remove user %q", role, username) + return + } + var users []string + for _, u := range r.Users { + if u != username { + users = append(users, u) + } + } + r.Users = users + p.dbHandle.roles[role] = r +} + func (p *MemoryProvider) joinUserVirtualFoldersFields(user *User) []vfs.VirtualFolder { var folders []vfs.VirtualFolder for idx := range user.VirtualFolders { @@ -1714,7 +1830,7 @@ func (p *MemoryProvider) addShare(share *Share) error { _, err = p.shareExistsInternal(share.ShareID, share.Username) if err == nil { - return fmt.Errorf("share %#v already exists", share.ShareID) + return fmt.Errorf("share %q already exists", share.ShareID) } if _, err := p.userExistsInternal(share.Username); err != nil { return util.NewValidationError(fmt.Sprintf("related user %#v does not exists", share.Username)) @@ -1753,7 +1869,7 @@ func (p *MemoryProvider) updateShare(share *Share) error { return err } if _, err := p.userExistsInternal(share.Username); err != nil { - return util.NewValidationError(fmt.Sprintf("related user %#v does not exists", share.Username)) + return util.NewValidationError(fmt.Sprintf("related user %q does not exists", share.Username)) } share.ID = s.ID share.ShareID = s.ShareID @@ -2322,6 +2438,158 @@ func (*MemoryProvider) cleanupNodes() error { return ErrNotImplemented } +func (p *MemoryProvider) roleExists(name string) (Role, error) { + p.dbHandle.Lock() + defer p.dbHandle.Unlock() + if p.dbHandle.isClosed { + return Role{}, errMemoryProviderClosed + } + role, err := p.roleExistsInternal(name) + if err != nil { + return role, err + } + return role, nil +} + +func (p *MemoryProvider) addRole(role *Role) error { + if err := role.validate(); err != nil { + return err + } + p.dbHandle.Lock() + defer p.dbHandle.Unlock() + if p.dbHandle.isClosed { + return errMemoryProviderClosed + } + + _, err := p.roleExistsInternal(role.Name) + if err == nil { + return fmt.Errorf("role %q already exists", role.Name) + } + role.ID = p.getNextRoleID() + role.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now()) + role.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now()) + role.Users = nil + role.Admins = nil + p.dbHandle.roles[role.Name] = role.getACopy() + p.dbHandle.roleNames = append(p.dbHandle.roleNames, role.Name) + sort.Strings(p.dbHandle.roleNames) + return nil +} + +func (p *MemoryProvider) updateRole(role *Role) error { + if err := role.validate(); err != nil { + return err + } + p.dbHandle.Lock() + defer p.dbHandle.Unlock() + if p.dbHandle.isClosed { + return errMemoryProviderClosed + } + oldRole, err := p.roleExistsInternal(role.Name) + if err != nil { + return err + } + role.ID = oldRole.ID + role.CreatedAt = oldRole.CreatedAt + role.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now()) + role.Users = oldRole.Users + role.Admins = oldRole.Admins + p.dbHandle.roles[role.Name] = role.getACopy() + return nil +} + +func (p *MemoryProvider) deleteRole(role Role) error { + p.dbHandle.Lock() + defer p.dbHandle.Unlock() + if p.dbHandle.isClosed { + return errMemoryProviderClosed + } + oldRole, err := p.roleExistsInternal(role.Name) + if err != nil { + return err + } + if len(oldRole.Admins) > 0 { + return util.NewValidationError(fmt.Sprintf("the role %q is referenced, it cannot be removed", oldRole.Name)) + } + for _, username := range oldRole.Users { + user, err := p.userExistsInternal(username) + if err != nil { + continue + } + if user.Role == role.Name { + user.Role = "" + p.dbHandle.users[username] = user + } else { + providerLog(logger.LevelError, "user %q does not have the expected role %q, actual %q", username, role.Name, user.Role) + } + } + delete(p.dbHandle.roles, role.Name) + p.dbHandle.roleNames = make([]string, 0, len(p.dbHandle.roles)) + for name := range p.dbHandle.roles { + p.dbHandle.roleNames = append(p.dbHandle.roleNames, name) + } + sort.Strings(p.dbHandle.roleNames) + return nil +} + +func (p *MemoryProvider) getRoles(limit int, offset int, order string, minimal bool) ([]Role, error) { + p.dbHandle.Lock() + defer p.dbHandle.Unlock() + + if p.dbHandle.isClosed { + return nil, errMemoryProviderClosed + } + if limit <= 0 { + return nil, nil + } + roles := make([]Role, 0, 10) + itNum := 0 + if order == OrderASC { + for _, name := range p.dbHandle.roleNames { + itNum++ + if itNum <= offset { + continue + } + r := p.dbHandle.roles[name] + role := r.getACopy() + roles = append(roles, role) + if len(roles) >= limit { + break + } + } + } else { + for i := len(p.dbHandle.roleNames) - 1; i >= 0; i-- { + itNum++ + if itNum <= offset { + continue + } + name := p.dbHandle.roleNames[i] + r := p.dbHandle.roles[name] + role := r.getACopy() + roles = append(roles, role) + if len(roles) >= limit { + break + } + } + } + return roles, nil +} + +func (p *MemoryProvider) dumpRoles() ([]Role, error) { + p.dbHandle.Lock() + defer p.dbHandle.Unlock() + if p.dbHandle.isClosed { + return nil, errMemoryProviderClosed + } + + roles := make([]Role, 0, len(p.dbHandle.roles)) + for _, name := range p.dbHandle.roleNames { + r := p.dbHandle.roles[name] + roles = append(roles, r.getACopy()) + } + return roles, nil +} + func (p *MemoryProvider) setFirstDownloadTimestamp(username string) error { p.dbHandle.Lock() defer p.dbHandle.Unlock() @@ -2333,7 +2601,7 @@ func (p *MemoryProvider) setFirstDownloadTimestamp(username string) error { return err } if user.FirstDownload > 0 { - return util.NewGenericError(fmt.Sprintf("first download already set to %v", + return util.NewGenericError(fmt.Sprintf("first download already set to %s", util.GetTimeFromMsecSinceEpoch(user.FirstDownload))) } user.FirstDownload = util.GetTimeAsMsSinceEpoch(time.Now()) @@ -2352,7 +2620,7 @@ func (p *MemoryProvider) setFirstUploadTimestamp(username string) error { return err } if user.FirstUpload > 0 { - return util.NewGenericError(fmt.Sprintf("first upload already set to %v", + return util.NewGenericError(fmt.Sprintf("first upload already set to %s", util.GetTimeFromMsecSinceEpoch(user.FirstUpload))) } user.FirstUpload = util.GetTimeAsMsSinceEpoch(time.Now()) @@ -2420,11 +2688,24 @@ func (p *MemoryProvider) getNextRuleID() int64 { return nextID } +func (p *MemoryProvider) getNextRoleID() int64 { + nextID := int64(1) + for _, r := range p.dbHandle.roles { + if r.ID >= nextID { + nextID = r.ID + 1 + } + } + return nextID +} + func (p *MemoryProvider) clear() { p.dbHandle.Lock() defer p.dbHandle.Unlock() + p.dbHandle.usernames = []string{} p.dbHandle.users = make(map[string]User) + p.dbHandle.groupnames = []string{} + p.dbHandle.groups = map[string]Group{} p.dbHandle.vfoldersNames = []string{} p.dbHandle.vfolders = make(map[string]vfs.BaseVirtualFolder) p.dbHandle.admins = make(map[string]Admin) @@ -2433,6 +2714,12 @@ func (p *MemoryProvider) clear() { p.dbHandle.apiKeysIDs = []string{} p.dbHandle.shares = make(map[string]Share) p.dbHandle.sharesIDs = []string{} + p.dbHandle.actions = map[string]BaseEventAction{} + p.dbHandle.actionsNames = []string{} + p.dbHandle.rules = map[string]EventRule{} + p.dbHandle.rulesNames = []string{} + p.dbHandle.roles = map[string]Role{} + p.dbHandle.roleNames = []string{} } func (p *MemoryProvider) reloadConfig() error { @@ -2466,8 +2753,16 @@ func (p *MemoryProvider) reloadConfig() error { providerLog(logger.LevelError, "error loading dump: %v", err) return err } + return p.restoreDump(dump) +} + +func (p *MemoryProvider) restoreDump(dump BackupData) error { p.clear() + if err := p.restoreRoles(dump); err != nil { + return err + } + if err := p.restoreFolders(dump); err != nil { return err } @@ -2619,6 +2914,31 @@ func (p *MemoryProvider) restoreAdmins(dump BackupData) error { return nil } +func (p *MemoryProvider) restoreRoles(dump BackupData) error { + for _, role := range dump.Roles { + role := role // pin + role.Name = config.convertName(role.Name) + r, err := p.roleExists(role.Name) + if err == nil { + role.ID = r.ID + err = UpdateRole(&role, ActionExecutorSystem, "") + if err != nil { + providerLog(logger.LevelError, "error updating role %q: %v", role.Name, err) + return err + } + } else { + role.Admins = nil + role.Users = nil + err = AddRole(&role, ActionExecutorSystem, "") + if err != nil { + providerLog(logger.LevelError, "error adding role %q: %v", role.Name, err) + return err + } + } + } + return nil +} + func (p *MemoryProvider) restoreGroups(dump BackupData) error { for _, group := range dump.Groups { group := group // pin @@ -2671,7 +2991,7 @@ func (p *MemoryProvider) restoreUsers(dump BackupData) error { for _, user := range dump.Users { user := user // pin user.Username = config.convertName(user.Username) - u, err := p.userExists(user.Username) + u, err := p.userExists(user.Username, "") if err == nil { user.ID = u.ID err = UpdateUser(&user, ActionExecutorSystem, "") diff --git a/internal/dataprovider/mysql.go b/internal/dataprovider/mysql.go index 0833cebb..3e2e607d 100644 --- a/internal/dataprovider/mysql.go +++ b/internal/dataprovider/mysql.go @@ -57,6 +57,7 @@ const ( "DROP TABLE IF EXISTS `{{events_rules}}` CASCADE;" + "DROP TABLE IF EXISTS `{{tasks}}` CASCADE;" + "DROP TABLE IF EXISTS `{{nodes}}` CASCADE;" + + "DROP TABLE IF EXISTS `{{roles}}` CASCADE;" + "DROP TABLE IF EXISTS `{{schema_version}}` CASCADE;" mysqlInitialSQL = "CREATE TABLE `{{schema_version}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, `version` integer NOT NULL);" + "CREATE TABLE `{{admins}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, `username` varchar(255) NOT NULL UNIQUE, " + @@ -171,6 +172,17 @@ const ( "CREATE INDEX `{{prefix}}events_rules_trigger_idx` ON `{{events_rules}}` (`trigger`);" + "CREATE INDEX `{{prefix}}rules_actions_mapping_order_idx` ON `{{rules_actions_mapping}}` (`order`);" + "INSERT INTO {{schema_version}} (version) VALUES (23);" + mysqlV24SQL = "CREATE TABLE `{{roles}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, `name` varchar(255) NOT NULL UNIQUE, " + + "`description` varchar(512) NULL, `created_at` bigint NOT NULL, `updated_at` bigint NOT NULL);" + + "ALTER TABLE `{{admins}}` ADD COLUMN `role_id` integer NULL , " + + "ADD CONSTRAINT `{{prefix}}admins_role_id_fk_roles_id` FOREIGN KEY (`role_id`) REFERENCES `{{roles}}`(`id`) ON DELETE NO ACTION;" + + "ALTER TABLE `{{users}}` ADD COLUMN `role_id` integer NULL , " + + "ADD CONSTRAINT `{{prefix}}users_role_id_fk_roles_id` FOREIGN KEY (`role_id`) REFERENCES `{{roles}}`(`id`) ON DELETE SET NULL;" + mysqlV24DownSQL = "ALTER TABLE `{{users}}` DROP FOREIGN KEY `{{prefix}}users_role_id_fk_roles_id`;" + + "ALTER TABLE `{{admins}}` DROP FOREIGN KEY `{{prefix}}admins_role_id_fk_roles_id`;" + + "ALTER TABLE `{{users}}` DROP COLUMN `role_id`;" + + "ALTER TABLE `{{admins}}` DROP COLUMN `role_id`;" + + "DROP TABLE `{{roles}}` CASCADE;" ) // MySQLProvider defines the auth provider for MySQL/MariaDB database @@ -312,8 +324,8 @@ func (p *MySQLProvider) updateAdminLastLogin(username string) error { return sqlCommonUpdateAdminLastLogin(username, p.dbHandle) } -func (p *MySQLProvider) userExists(username string) (User, error) { - return sqlCommonGetUserByUsername(username, p.dbHandle) +func (p *MySQLProvider) userExists(username, role string) (User, error) { + return sqlCommonGetUserByUsername(username, role, p.dbHandle) } func (p *MySQLProvider) addUser(user *User) error { @@ -340,8 +352,8 @@ func (p *MySQLProvider) getRecentlyUpdatedUsers(after int64) ([]User, error) { return sqlCommonGetRecentlyUpdatedUsers(after, p.dbHandle) } -func (p *MySQLProvider) getUsers(limit int, offset int, order string) ([]User, error) { - return sqlCommonGetUsers(limit, offset, order, p.dbHandle) +func (p *MySQLProvider) getUsers(limit int, offset int, order, role string) ([]User, error) { + return sqlCommonGetUsers(limit, offset, order, role, p.dbHandle) } func (p *MySQLProvider) getUsersForQuotaCheck(toFetch map[string]bool) ([]User, error) { @@ -654,6 +666,30 @@ func (p *MySQLProvider) cleanupNodes() error { return sqlCommonCleanupNodes(p.dbHandle) } +func (p *MySQLProvider) roleExists(name string) (Role, error) { + return sqlCommonGetRoleByName(name, p.dbHandle) +} + +func (p *MySQLProvider) addRole(role *Role) error { + return sqlCommonAddRole(role, p.dbHandle) +} + +func (p *MySQLProvider) updateRole(role *Role) error { + return sqlCommonUpdateRole(role, p.dbHandle) +} + +func (p *MySQLProvider) deleteRole(role Role) error { + return sqlCommonDeleteRole(role, p.dbHandle) +} + +func (p *MySQLProvider) getRoles(limit int, offset int, order string, minimal bool) ([]Role, error) { + return sqlCommonGetRoles(limit, offset, order, minimal, p.dbHandle) +} + +func (p *MySQLProvider) dumpRoles() ([]Role, error) { + return sqlCommonDumpRoles(p.dbHandle) +} + func (p *MySQLProvider) setFirstDownloadTimestamp(username string) error { return sqlCommonSetFirstDownloadTimestamp(username, p.dbHandle) } @@ -701,6 +737,8 @@ func (p *MySQLProvider) migrateDatabase() error { //nolint:dupl providerLog(logger.LevelError, "%v", err) logger.ErrorToConsole("%v", err) return err + case version == 23: + return updateMySQLDatabaseFromV23(p.dbHandle) default: if version > sqlDatabaseVersion { providerLog(logger.LevelError, "database schema version %d is newer than the supported one: %d", version, @@ -723,6 +761,8 @@ func (p *MySQLProvider) revertDatabase(targetVersion int) error { } switch dbVersion.Version { + case 24: + return downgradeMySQLDatabaseFromV24(p.dbHandle) default: return fmt.Errorf("database schema version not handled: %d", dbVersion.Version) } @@ -732,3 +772,31 @@ func (p *MySQLProvider) resetDatabase() error { sql := sqlReplaceAll(mysqlResetSQL) return sqlCommonExecSQLAndUpdateDBVersion(p.dbHandle, strings.Split(sql, ";"), 0, false) } + +func updateMySQLDatabaseFromV23(dbHandle *sql.DB) error { + return updateMySQLDatabaseFrom23To24(dbHandle) +} + +func downgradeMySQLDatabaseFromV24(dbHandle *sql.DB) error { + return downgradeMySQLDatabaseFrom24To23(dbHandle) +} + +func updateMySQLDatabaseFrom23To24(dbHandle *sql.DB) error { + logger.InfoToConsole("updating database schema version: 23 -> 24") + providerLog(logger.LevelInfo, "updating database schema version: 23 -> 24") + sql := strings.ReplaceAll(mysqlV24SQL, "{{roles}}", sqlTableRoles) + sql = strings.ReplaceAll(sql, "{{admins}}", sqlTableAdmins) + sql = strings.ReplaceAll(sql, "{{users}}", sqlTableUsers) + sql = strings.ReplaceAll(sql, "{{prefix}}", config.SQLTablesPrefix) + return sqlCommonExecSQLAndUpdateDBVersion(dbHandle, strings.Split(sql, ";"), 24, true) +} + +func downgradeMySQLDatabaseFrom24To23(dbHandle *sql.DB) error { + logger.InfoToConsole("downgrading database schema version: 24 -> 23") + providerLog(logger.LevelInfo, "downgrading database schema version: 24 -> 23") + sql := strings.ReplaceAll(mysqlV24DownSQL, "{{roles}}", sqlTableRoles) + sql = strings.ReplaceAll(sql, "{{admins}}", sqlTableAdmins) + sql = strings.ReplaceAll(sql, "{{users}}", sqlTableUsers) + sql = strings.ReplaceAll(sql, "{{prefix}}", config.SQLTablesPrefix) + return sqlCommonExecSQLAndUpdateDBVersion(dbHandle, strings.Split(sql, ";"), 23, false) +} diff --git a/internal/dataprovider/node.go b/internal/dataprovider/node.go index 231baf09..a8082d42 100644 --- a/internal/dataprovider/node.go +++ b/internal/dataprovider/node.go @@ -25,8 +25,8 @@ import ( "strings" "time" - "github.com/lestrrat-go/jwx/jwa" - "github.com/lestrrat-go/jwx/jwt" + "github.com/lestrrat-go/jwx/v2/jwa" + "github.com/lestrrat-go/jwx/v2/jwt" "github.com/rs/xid" "github.com/drakkan/sftpgo/v2/internal/httpclient" @@ -120,27 +120,33 @@ func (n *Node) validate() error { return n.Data.validate() } -func (n *Node) authenticate(token string) (string, error) { +func (n *Node) authenticate(token string) (string, string, error) { if err := n.Data.Key.TryDecrypt(); err != nil { providerLog(logger.LevelError, "unable to decrypt node key: %v", err) - return "", err + return "", "", err } if token == "" { - return "", ErrInvalidCredentials + return "", "", ErrInvalidCredentials } - t, err := jwt.Parse([]byte(token), jwt.WithVerify(jwa.HS256, []byte(n.Data.Key.GetPayload()))) + t, err := jwt.Parse([]byte(token), jwt.WithKey(jwa.HS256, []byte(n.Data.Key.GetPayload())), jwt.WithValidate(true)) if err != nil { - return "", fmt.Errorf("unable to parse token: %v", err) - } - if err := jwt.Validate(t); err != nil { - return "", fmt.Errorf("unable to validate token: %v", err) + return "", "", fmt.Errorf("unable to parse and validate token: %v", err) } + var adminUsername, role string if admin, ok := t.Get("admin"); ok { if val, ok := admin.(string); ok && val != "" { - return val, nil + adminUsername = val } } - return "", errors.New("no admin username associated with node token") + if adminUsername == "" { + return "", "", errors.New("no admin username associated with node token") + } + if r, ok := t.Get("role"); ok { + if val, ok := r.(string); ok && val != "" { + role = val + } + } + return adminUsername, role, nil } // getBaseURL returns the base URL for this node @@ -157,7 +163,7 @@ func (n *Node) getBaseURL() string { } // generateAuthToken generates a new auth token -func (n *Node) generateAuthToken(username string) (string, error) { +func (n *Node) generateAuthToken(username, role string) (string, error) { if err := n.Data.Key.TryDecrypt(); err != nil { return "", fmt.Errorf("unable to decrypt node key: %w", err) } @@ -165,18 +171,19 @@ func (n *Node) generateAuthToken(username string) (string, error) { t := jwt.New() t.Set("admin", username) //nolint:errcheck + t.Set("role", role) //nolint:errcheck t.Set(jwt.JwtIDKey, xid.New().String()) //nolint:errcheck t.Set(jwt.NotBeforeKey, now.Add(-30*time.Second)) //nolint:errcheck t.Set(jwt.ExpirationKey, now.Add(1*time.Minute)) //nolint:errcheck - payload, err := jwt.Sign(t, jwa.HS256, []byte(n.Data.Key.GetPayload())) + payload, err := jwt.Sign(t, jwt.WithKey(jwa.HS256, []byte(n.Data.Key.GetPayload()))) if err != nil { return "", fmt.Errorf("unable to sign authentication token: %w", err) } return string(payload), nil } -func (n *Node) prepareRequest(ctx context.Context, username, relativeURL, method string, +func (n *Node) prepareRequest(ctx context.Context, username, role, relativeURL, method string, body io.Reader, ) (*http.Request, error) { url := fmt.Sprintf("%s%s", n.getBaseURL(), relativeURL) @@ -184,7 +191,7 @@ func (n *Node) prepareRequest(ctx context.Context, username, relativeURL, method if err != nil { return nil, err } - token, err := n.generateAuthToken(username) + token, err := n.generateAuthToken(username, role) if err != nil { return nil, err } @@ -194,11 +201,11 @@ func (n *Node) prepareRequest(ctx context.Context, username, relativeURL, method // SendGetRequest sends an HTTP GET request to this node. // The responseHolder must be a pointer -func (n *Node) SendGetRequest(username, relativeURL string, responseHolder any) error { +func (n *Node) SendGetRequest(username, role, relativeURL string, responseHolder any) error { ctx, cancel := context.WithTimeout(context.Background(), nodeReqTimeout) defer cancel() - req, err := n.prepareRequest(ctx, username, relativeURL, http.MethodGet, nil) + req, err := n.prepareRequest(ctx, username, role, relativeURL, http.MethodGet, nil) if err != nil { return err } @@ -222,11 +229,11 @@ func (n *Node) SendGetRequest(username, relativeURL string, responseHolder any) } // SendDeleteRequest sends an HTTP DELETE request to this node -func (n *Node) SendDeleteRequest(username, relativeURL string) error { +func (n *Node) SendDeleteRequest(username, role, relativeURL string) error { ctx, cancel := context.WithTimeout(context.Background(), nodeReqTimeout) defer cancel() - req, err := n.prepareRequest(ctx, username, relativeURL, http.MethodDelete, nil) + req, err := n.prepareRequest(ctx, username, role, relativeURL, http.MethodDelete, nil) if err != nil { return err } @@ -246,9 +253,9 @@ func (n *Node) SendDeleteRequest(username, relativeURL string) error { } // AuthenticateNodeToken check the validity of the provided token -func AuthenticateNodeToken(token string) (string, error) { +func AuthenticateNodeToken(token string) (string, string, error) { if currentNode == nil { - return "", errNoClusterNodes + return "", "", errNoClusterNodes } return currentNode.authenticate(token) } diff --git a/internal/dataprovider/pgsql.go b/internal/dataprovider/pgsql.go index d62cfd1e..d6857934 100644 --- a/internal/dataprovider/pgsql.go +++ b/internal/dataprovider/pgsql.go @@ -23,6 +23,7 @@ import ( "database/sql" "errors" "fmt" + "strings" "time" // we import pgx here to be able to disable PostgreSQL support using a build tag @@ -54,6 +55,7 @@ DROP TABLE IF EXISTS "{{events_actions}}" CASCADE; DROP TABLE IF EXISTS "{{events_rules}}" CASCADE; DROP TABLE IF EXISTS "{{tasks}}" CASCADE; DROP TABLE IF EXISTS "{{nodes}}" CASCADE; +DROP TABLE IF EXISTS "{{roles}}" CASCADE; DROP TABLE IF EXISTS "{{schema_version}}" CASCADE; ` pgsqlInitial = `CREATE TABLE "{{schema_version}}" ("id" serial NOT NULL PRIMARY KEY, "version" integer NOT NULL); @@ -178,6 +180,19 @@ CREATE INDEX "{{prefix}}rules_actions_mapping_order_idx" ON "{{rules_actions_map CREATE INDEX "{{prefix}}admins_groups_mapping_admin_id_idx" ON "{{admins_groups_mapping}}" ("admin_id"); CREATE INDEX "{{prefix}}admins_groups_mapping_group_id_idx" ON "{{admins_groups_mapping}}" ("group_id"); INSERT INTO {{schema_version}} (version) VALUES (23); +` + pgsqlV24SQL = `CREATE TABLE "{{roles}}" ("id" serial NOT NULL PRIMARY KEY, "name" varchar(255) NOT NULL UNIQUE, +"description" varchar(512) NULL, "created_at" bigint NOT NULL, "updated_at" bigint NOT NULL); +ALTER TABLE "{{admins}}" ADD COLUMN "role_id" integer NULL CONSTRAINT "{{prefix}}admins_role_id_fk_roles_id" +REFERENCES "{{roles}}"("id") ON DELETE NO ACTION; +ALTER TABLE "{{users}}" ADD COLUMN "role_id" integer NULL CONSTRAINT "{{prefix}}users_role_id_fk_roles_id" +REFERENCES "{{roles}}"("id") ON DELETE SET NULL; +CREATE INDEX "{{prefix}}admins_role_id_idx" ON "{{admins}}" ("role_id"); +CREATE INDEX "{{prefix}}users_role_id_idx" ON "{{users}}" ("role_id"); +` + pgsqlV24DownSQL = `ALTER TABLE "{{users}}" DROP COLUMN "role_id" CASCADE; +ALTER TABLE "{{admins}}" DROP COLUMN "role_id" CASCADE; +DROP TABLE "{{roles}}" CASCADE; ` ) @@ -279,8 +294,8 @@ func (p *PGSQLProvider) updateAdminLastLogin(username string) error { return sqlCommonUpdateAdminLastLogin(username, p.dbHandle) } -func (p *PGSQLProvider) userExists(username string) (User, error) { - return sqlCommonGetUserByUsername(username, p.dbHandle) +func (p *PGSQLProvider) userExists(username, role string) (User, error) { + return sqlCommonGetUserByUsername(username, role, p.dbHandle) } func (p *PGSQLProvider) addUser(user *User) error { @@ -307,8 +322,8 @@ func (p *PGSQLProvider) getRecentlyUpdatedUsers(after int64) ([]User, error) { return sqlCommonGetRecentlyUpdatedUsers(after, p.dbHandle) } -func (p *PGSQLProvider) getUsers(limit int, offset int, order string) ([]User, error) { - return sqlCommonGetUsers(limit, offset, order, p.dbHandle) +func (p *PGSQLProvider) getUsers(limit int, offset int, order, role string) ([]User, error) { + return sqlCommonGetUsers(limit, offset, order, role, p.dbHandle) } func (p *PGSQLProvider) getUsersForQuotaCheck(toFetch map[string]bool) ([]User, error) { @@ -621,6 +636,30 @@ func (p *PGSQLProvider) cleanupNodes() error { return sqlCommonCleanupNodes(p.dbHandle) } +func (p *PGSQLProvider) roleExists(name string) (Role, error) { + return sqlCommonGetRoleByName(name, p.dbHandle) +} + +func (p *PGSQLProvider) addRole(role *Role) error { + return sqlCommonAddRole(role, p.dbHandle) +} + +func (p *PGSQLProvider) updateRole(role *Role) error { + return sqlCommonUpdateRole(role, p.dbHandle) +} + +func (p *PGSQLProvider) deleteRole(role Role) error { + return sqlCommonDeleteRole(role, p.dbHandle) +} + +func (p *PGSQLProvider) getRoles(limit int, offset int, order string, minimal bool) ([]Role, error) { + return sqlCommonGetRoles(limit, offset, order, minimal, p.dbHandle) +} + +func (p *PGSQLProvider) dumpRoles() ([]Role, error) { + return sqlCommonDumpRoles(p.dbHandle) +} + func (p *PGSQLProvider) setFirstDownloadTimestamp(username string) error { return sqlCommonSetFirstDownloadTimestamp(username, p.dbHandle) } @@ -668,6 +707,8 @@ func (p *PGSQLProvider) migrateDatabase() error { //nolint:dupl providerLog(logger.LevelError, "%v", err) logger.ErrorToConsole("%v", err) return err + case version == 23: + return updatePgSQLDatabaseFromV23(p.dbHandle) default: if version > sqlDatabaseVersion { providerLog(logger.LevelError, "database schema version %d is newer than the supported one: %d", version, @@ -690,6 +731,8 @@ func (p *PGSQLProvider) revertDatabase(targetVersion int) error { } switch dbVersion.Version { + case 24: + return downgradePgSQLDatabaseFromV24(p.dbHandle) default: return fmt.Errorf("database schema version not handled: %d", dbVersion.Version) } @@ -699,3 +742,31 @@ func (p *PGSQLProvider) resetDatabase() error { sql := sqlReplaceAll(pgsqlResetSQL) return sqlCommonExecSQLAndUpdateDBVersion(p.dbHandle, []string{sql}, 0, false) } + +func updatePgSQLDatabaseFromV23(dbHandle *sql.DB) error { + return updatePgSQLDatabaseFrom23To24(dbHandle) +} + +func downgradePgSQLDatabaseFromV24(dbHandle *sql.DB) error { + return downgradePgSQLDatabaseFrom24To23(dbHandle) +} + +func updatePgSQLDatabaseFrom23To24(dbHandle *sql.DB) error { + logger.InfoToConsole("updating database schema version: 23 -> 24") + providerLog(logger.LevelInfo, "updating database schema version: 23 -> 24") + sql := strings.ReplaceAll(pgsqlV24SQL, "{{roles}}", sqlTableRoles) + sql = strings.ReplaceAll(sql, "{{admins}}", sqlTableAdmins) + sql = strings.ReplaceAll(sql, "{{users}}", sqlTableUsers) + sql = strings.ReplaceAll(sql, "{{prefix}}", config.SQLTablesPrefix) + return sqlCommonExecSQLAndUpdateDBVersion(dbHandle, []string{sql}, 24, true) +} + +func downgradePgSQLDatabaseFrom24To23(dbHandle *sql.DB) error { + logger.InfoToConsole("downgrading database schema version: 24 -> 23") + providerLog(logger.LevelInfo, "downgrading database schema version: 24 -> 23") + sql := strings.ReplaceAll(pgsqlV24DownSQL, "{{roles}}", sqlTableRoles) + sql = strings.ReplaceAll(sql, "{{admins}}", sqlTableAdmins) + sql = strings.ReplaceAll(sql, "{{users}}", sqlTableUsers) + sql = strings.ReplaceAll(sql, "{{prefix}}", config.SQLTablesPrefix) + return sqlCommonExecSQLAndUpdateDBVersion(dbHandle, []string{sql}, 23, false) +} diff --git a/internal/dataprovider/role.go b/internal/dataprovider/role.go new file mode 100644 index 00000000..2fedd135 --- /dev/null +++ b/internal/dataprovider/role.go @@ -0,0 +1,94 @@ +// Copyright (C) 2019-2022 Nicola Murino +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published +// by the Free Software Foundation, version 3. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package dataprovider + +import ( + "encoding/json" + "fmt" + "strings" + + "github.com/drakkan/sftpgo/v2/internal/logger" + "github.com/drakkan/sftpgo/v2/internal/util" +) + +// Role defines an SFTPGo role. +type Role struct { + // Data provider unique identifier + ID int64 `json:"id"` + // Role name + Name string `json:"name"` + // optional description + Description string `json:"description,omitempty"` + // Creation time as unix timestamp in milliseconds + CreatedAt int64 `json:"created_at"` + // last update time as unix timestamp in milliseconds + UpdatedAt int64 `json:"updated_at"` + // list of admins associated with this role + Admins []string `json:"admins,omitempty"` + // list of usernames associated with this role + Users []string `json:"users,omitempty"` +} + +// RenderAsJSON implements the renderer interface used within plugins +func (r *Role) RenderAsJSON(reload bool) ([]byte, error) { + if reload { + role, err := provider.roleExists(r.Name) + if err != nil { + providerLog(logger.LevelError, "unable to reload role before rendering as json: %v", err) + return nil, err + } + return json.Marshal(role) + } + return json.Marshal(r) +} + +func (r *Role) validate() error { + if r.Name == "" { + return util.NewValidationError("name is mandatory") + } + if config.NamingRules&1 == 0 && !usernameRegex.MatchString(r.Name) { + return util.NewValidationError(fmt.Sprintf("name %q is not valid, the following characters are allowed: a-zA-Z0-9-_.~", r.Name)) + } + return nil +} + +func (r *Role) getACopy() Role { + users := make([]string, len(r.Users)) + copy(users, r.Users) + admins := make([]string, len(r.Admins)) + copy(admins, r.Admins) + + return Role{ + ID: r.ID, + Name: r.Name, + Description: r.Description, + CreatedAt: r.CreatedAt, + UpdatedAt: r.UpdatedAt, + Users: users, + Admins: admins, + } +} + +// GetMembersAsString returns a string representation for the role members +func (r *Role) GetMembersAsString() string { + var sb strings.Builder + if len(r.Users) > 0 { + sb.WriteString(fmt.Sprintf("Users: %d. ", len(r.Users))) + } + if len(r.Admins) > 0 { + sb.WriteString(fmt.Sprintf("Admins: %d. ", len(r.Admins))) + } + return sb.String() +} diff --git a/internal/dataprovider/sqlcommon.go b/internal/dataprovider/sqlcommon.go index 8ffce39b..7878d861 100644 --- a/internal/dataprovider/sqlcommon.go +++ b/internal/dataprovider/sqlcommon.go @@ -34,7 +34,7 @@ import ( ) const ( - sqlDatabaseVersion = 23 + sqlDatabaseVersion = 24 defaultSQLQueryTimeout = 10 * time.Second longSQLQueryTimeout = 60 * time.Second ) @@ -78,6 +78,7 @@ func sqlReplaceAll(sql string) string { sql = strings.ReplaceAll(sql, "{{rules_actions_mapping}}", sqlTableRulesActionsMapping) sql = strings.ReplaceAll(sql, "{{tasks}}", sqlTableTasks) sql = strings.ReplaceAll(sql, "{{nodes}}", sqlTableNodes) + sql = strings.ReplaceAll(sql, "{{roles}}", sqlTableRoles) sql = strings.ReplaceAll(sql, "{{prefix}}", config.SQLTablesPrefix) return sql } @@ -105,7 +106,7 @@ func sqlCommonAddShare(share *Share, dbHandle *sql.DB) error { return err } - user, err := provider.userExists(share.Username) + user, err := provider.userExists(share.Username, "") if err != nil { return util.NewValidationError(fmt.Sprintf("unable to validate user %#v", share.Username)) } @@ -165,7 +166,7 @@ func sqlCommonUpdateShare(share *Share, dbHandle *sql.DB) error { } } - user, err := provider.userExists(share.Username) + user, err := provider.userExists(share.Username, "") if err != nil { return util.NewValidationError(fmt.Sprintf("unable to validate user %#v", share.Username)) } @@ -431,10 +432,10 @@ func sqlCommonAddAdmin(admin *Admin, dbHandle *sql.DB) error { defer cancel() return sqlCommonExecuteTx(ctx, dbHandle, func(tx *sql.Tx) error { - q := getAddAdminQuery() + q := getAddAdminQuery(admin.Role) _, err = tx.ExecContext(ctx, q, admin.Username, admin.Password, admin.Status, admin.Email, string(perms), string(filters), admin.AdditionalInfo, admin.Description, util.GetTimeAsMsSinceEpoch(time.Now()), - util.GetTimeAsMsSinceEpoch(time.Now())) + util.GetTimeAsMsSinceEpoch(time.Now()), admin.Role) if err != nil { return err } @@ -462,9 +463,9 @@ func sqlCommonUpdateAdmin(admin *Admin, dbHandle *sql.DB) error { defer cancel() return sqlCommonExecuteTx(ctx, dbHandle, func(tx *sql.Tx) error { - q := getUpdateAdminQuery() + q := getUpdateAdminQuery(admin.Role) _, err = tx.ExecContext(ctx, q, admin.Password, admin.Status, admin.Email, string(perms), string(filters), - admin.AdditionalInfo, admin.Description, util.GetTimeAsMsSinceEpoch(time.Now()), admin.Username) + admin.AdditionalInfo, admin.Description, util.GetTimeAsMsSinceEpoch(time.Now()), admin.Role, admin.Username) if err != nil { return err } @@ -537,6 +538,122 @@ func sqlCommonDumpAdmins(dbHandle sqlQuerier) ([]Admin, error) { return getAdminsWithGroups(ctx, admins, dbHandle) } +func sqlCommonGetRoleByName(name string, dbHandle sqlQuerier) (Role, error) { + ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout) + defer cancel() + + q := getRoleByNameQuery() + row := dbHandle.QueryRowContext(ctx, q, name) + role, err := getRoleFromDbRow(row) + if err != nil { + return role, err + } + role, err = getRoleWithUsers(ctx, role, dbHandle) + if err != nil { + return role, err + } + return getRoleWithAdmins(ctx, role, dbHandle) +} + +func sqlCommonDumpRoles(dbHandle sqlQuerier) ([]Role, error) { + roles := make([]Role, 0, 10) + ctx, cancel := context.WithTimeout(context.Background(), longSQLQueryTimeout) + defer cancel() + + q := getDumpRolesQuery() + + rows, err := dbHandle.QueryContext(ctx, q) + if err != nil { + return roles, err + } + defer rows.Close() + + for rows.Next() { + role, err := getRoleFromDbRow(rows) + if err != nil { + return roles, err + } + roles = append(roles, role) + } + return roles, rows.Err() +} + +func sqlCommonGetRoles(limit int, offset int, order string, minimal bool, dbHandle sqlQuerier) ([]Role, error) { + ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout) + defer cancel() + + q := getRolesQuery(order, minimal) + + roles := make([]Role, 0, limit) + rows, err := dbHandle.QueryContext(ctx, q, limit, offset) + if err != nil { + return roles, err + } + defer rows.Close() + + for rows.Next() { + var role Role + if minimal { + err = rows.Scan(&role.ID, &role.Name) + } else { + role, err = getRoleFromDbRow(rows) + } + if err != nil { + return roles, err + } + roles = append(roles, role) + } + err = rows.Err() + if err != nil { + return roles, err + } + if minimal { + return roles, nil + } + roles, err = getRolesWithUsers(ctx, roles, dbHandle) + if err != nil { + return roles, err + } + return getRolesWithAdmins(ctx, roles, dbHandle) +} + +func sqlCommonAddRole(role *Role, dbHandle *sql.DB) error { + if err := role.validate(); err != nil { + return err + } + ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout) + defer cancel() + + q := getAddRoleQuery() + _, err := dbHandle.ExecContext(ctx, q, role.Name, role.Description, util.GetTimeAsMsSinceEpoch(time.Now()), + util.GetTimeAsMsSinceEpoch(time.Now())) + return err +} + +func sqlCommonUpdateRole(role *Role, dbHandle *sql.DB) error { + if err := role.validate(); err != nil { + return err + } + ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout) + defer cancel() + + q := getUpdateRoleQuery() + _, err := dbHandle.ExecContext(ctx, q, role.Description, util.GetTimeAsMsSinceEpoch(time.Now()), role.Name) + return err +} + +func sqlCommonDeleteRole(role Role, dbHandle *sql.DB) error { + ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout) + defer cancel() + + q := getDeleteRoleQuery() + res, err := dbHandle.ExecContext(ctx, q, role.Name) + if err != nil { + return err + } + return sqlCommonRequireRowAffected(res) +} + func sqlCommonGetGroupByName(name string, dbHandle sqlQuerier) (Group, error) { ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout) defer cancel() @@ -756,12 +873,16 @@ func sqlCommonDeleteGroup(group Group, dbHandle *sql.DB) error { return sqlCommonRequireRowAffected(res) } -func sqlCommonGetUserByUsername(username string, dbHandle sqlQuerier) (User, error) { +func sqlCommonGetUserByUsername(username, role string, dbHandle sqlQuerier) (User, error) { ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout) defer cancel() - q := getUserByUsernameQuery() - row := dbHandle.QueryRowContext(ctx, q, username) + q := getUserByUsernameQuery(role) + args := []any{username} + if role != "" { + args = append(args, role) + } + row := dbHandle.QueryRowContext(ctx, q, args...) user, err := getUserFromDbRow(row) if err != nil { return user, err @@ -774,7 +895,7 @@ func sqlCommonGetUserByUsername(username string, dbHandle sqlQuerier) (User, err } func sqlCommonValidateUserAndPass(username, password, ip, protocol string, dbHandle *sql.DB) (User, error) { - user, err := sqlCommonGetUserByUsername(username, dbHandle) + user, err := sqlCommonGetUserByUsername(username, "", dbHandle) if err != nil { providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err) return user, err @@ -787,7 +908,7 @@ func sqlCommonValidateUserAndTLSCertificate(username, protocol string, tlsCert * if tlsCert == nil { return user, errors.New("TLS certificate cannot be null or empty") } - user, err := sqlCommonGetUserByUsername(username, dbHandle) + user, err := sqlCommonGetUserByUsername(username, "", dbHandle) if err != nil { providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err) return user, err @@ -800,7 +921,7 @@ func sqlCommonValidateUserAndPubKey(username string, pubKey []byte, isSSHCert bo if len(pubKey) == 0 { return user, "", errors.New("credentials cannot be null or empty") } - user, err := sqlCommonGetUserByUsername(username, dbHandle) + user, err := sqlCommonGetUserByUsername(username, "", dbHandle) if err != nil { providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err) return user, "", err @@ -993,12 +1114,12 @@ func sqlCommonAddUser(user *User, dbHandle *sql.DB) error { return err } } - q := getAddUserQuery() + q := getAddUserQuery(user.Role) _, err := tx.ExecContext(ctx, q, user.Username, user.Password, string(publicKeys), user.HomeDir, user.UID, user.GID, user.MaxSessions, user.QuotaSize, user.QuotaFiles, string(permissions), user.UploadBandwidth, user.DownloadBandwidth, user.Status, user.ExpirationDate, string(filters), string(fsConfig), user.AdditionalInfo, user.Description, user.Email, util.GetTimeAsMsSinceEpoch(time.Now()), util.GetTimeAsMsSinceEpoch(time.Now()), - user.UploadDataTransfer, user.DownloadDataTransfer, user.TotalDataTransfer) + user.UploadDataTransfer, user.DownloadDataTransfer, user.TotalDataTransfer, user.Role) if err != nil { return err } @@ -1044,12 +1165,12 @@ func sqlCommonUpdateUser(user *User, dbHandle *sql.DB) error { defer cancel() return sqlCommonExecuteTx(ctx, dbHandle, func(tx *sql.Tx) error { - q := getUpdateUserQuery() + q := getUpdateUserQuery(user.Role) _, err := tx.ExecContext(ctx, q, user.Password, string(publicKeys), user.HomeDir, user.UID, user.GID, user.MaxSessions, user.QuotaSize, user.QuotaFiles, string(permissions), user.UploadBandwidth, user.DownloadBandwidth, user.Status, user.ExpirationDate, string(filters), string(fsConfig), user.AdditionalInfo, user.Description, user.Email, util.GetTimeAsMsSinceEpoch(time.Now()), user.UploadDataTransfer, user.DownloadDataTransfer, user.TotalDataTransfer, - user.ID) + user.Role, user.ID) if err != nil { return err } @@ -1264,19 +1385,17 @@ func sqlCommonGetUsersRangeForQuotaCheck(usernames []string, dbHandle sqlQuerier for rows.Next() { var user User - var filters sql.NullString + var filters []byte err = rows.Scan(&user.ID, &user.Username, &user.QuotaSize, &user.UsedQuotaSize, &user.TotalDataTransfer, &user.UploadDataTransfer, &user.DownloadDataTransfer, &user.UsedUploadDataTransfer, &user.UsedDownloadDataTransfer, &filters) if err != nil { return users, err } - if filters.Valid { - var userFilters UserFilters - err = json.Unmarshal([]byte(filters.String), &userFilters) - if err == nil { - user.Filters = userFilters - } + var userFilters UserFilters + err = json.Unmarshal(filters, &userFilters) + if err == nil { + user.Filters = userFilters } users = append(users, user) } @@ -1353,13 +1472,19 @@ func sqlCommonGetActiveTransfers(from time.Time, dbHandle sqlQuerier) ([]ActiveT return transfers, rows.Err() } -func sqlCommonGetUsers(limit int, offset int, order string, dbHandle sqlQuerier) ([]User, error) { +func sqlCommonGetUsers(limit int, offset int, order, role string, dbHandle sqlQuerier) ([]User, error) { users := make([]User, 0, limit) ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout) defer cancel() - q := getUsersQuery(order) - rows, err := dbHandle.QueryContext(ctx, q, limit, offset) + q := getUsersQuery(order, role) + var args []any + if role == "" { + args = append(args, limit, offset) + } else { + args = append(args, role, limit, offset) + } + rows, err := dbHandle.QueryContext(ctx, q, args...) if err != nil { return users, err } @@ -1593,7 +1718,8 @@ func sqlCommonCleanupDefenderEvents(from int64, dbHandle *sql.DB) error { func getShareFromDbRow(row sqlScanner) (Share, error) { var share Share - var description, password, allowFrom, paths sql.NullString + var description, password sql.NullString + var allowFrom, paths []byte err := row.Scan(&share.ShareID, &share.Name, &description, &share.Scope, &paths, &share.Username, &share.CreatedAt, &share.UpdatedAt, @@ -1605,28 +1731,22 @@ func getShareFromDbRow(row sqlScanner) (Share, error) { } return share, err } - if paths.Valid { - var list []string - err = json.Unmarshal([]byte(paths.String), &list) - if err != nil { - return share, err - } - share.Paths = list - } else { - return share, errors.New("unable to decode shared paths") + var list []string + err = json.Unmarshal(paths, &list) + if err != nil { + return share, err } + share.Paths = list if description.Valid { share.Description = description.String } if password.Valid { share.Password = password.String } - if allowFrom.Valid { - var list []string - err = json.Unmarshal([]byte(allowFrom.String), &list) - if err == nil { - share.AllowFrom = list - } + list = nil + err = json.Unmarshal(allowFrom, &list) + if err == nil { + share.AllowFrom = list } return share, nil } @@ -1661,10 +1781,11 @@ func getAPIKeyFromDbRow(row sqlScanner) (APIKey, error) { func getAdminFromDbRow(row sqlScanner) (Admin, error) { var admin Admin - var email, filters, additionalInfo, permissions, description sql.NullString + var email, additionalInfo, description, role sql.NullString + var permissions, filters []byte err := row.Scan(&admin.ID, &admin.Username, &admin.Password, &admin.Status, &email, &permissions, - &filters, &additionalInfo, &description, &admin.CreatedAt, &admin.UpdatedAt, &admin.LastLogin) + &filters, &additionalInfo, &description, &admin.CreatedAt, &admin.UpdatedAt, &admin.LastLogin, &role) if err != nil { if errors.Is(err, sql.ErrNoRows) { @@ -1673,24 +1794,21 @@ func getAdminFromDbRow(row sqlScanner) (Admin, error) { return admin, err } - if permissions.Valid { - var perms []string - err = json.Unmarshal([]byte(permissions.String), &perms) - if err != nil { - return admin, err - } - admin.Permissions = perms + var perms []string + err = json.Unmarshal(permissions, &perms) + if err != nil { + return admin, err } + admin.Permissions = perms if email.Valid { admin.Email = email.String } - if filters.Valid { - var adminFilters AdminFilters - err = json.Unmarshal([]byte(filters.String), &adminFilters) - if err == nil { - admin.Filters = adminFilters - } + + var adminFilters AdminFilters + err = json.Unmarshal(filters, &adminFilters) + if err == nil { + admin.Filters = adminFilters } if additionalInfo.Valid { admin.AdditionalInfo = additionalInfo.String @@ -1698,6 +1816,9 @@ func getAdminFromDbRow(row sqlScanner) (Admin, error) { if description.Valid { admin.Description = description.String } + if role.Valid { + admin.Role = role.String + } admin.SetEmptySecretsIfNil() return admin, nil @@ -1718,11 +1839,10 @@ func getEventActionFromDbRow(row sqlScanner) (BaseEventAction, error) { if description.Valid { action.Description = description.String } - if len(options) > 0 { - err = json.Unmarshal(options, &action.Options) - if err != nil { - return action, err - } + var actionOptions BaseEventActionOptions + err = json.Unmarshal(options, &actionOptions) + if err == nil { + action.Options = actionOptions } return action, nil } @@ -1740,21 +1860,40 @@ func getEventRuleFromDbRow(row sqlScanner) (EventRule, error) { } return rule, err } - if len(conditions) > 0 { - err = json.Unmarshal(conditions, &rule.Conditions) - if err != nil { - return rule, err - } + var ruleConditions EventConditions + err = json.Unmarshal(conditions, &ruleConditions) + if err == nil { + rule.Conditions = ruleConditions } + if description.Valid { rule.Description = description.String } return rule, nil } +func getRoleFromDbRow(row sqlScanner) (Role, error) { + var role Role + var description sql.NullString + + err := row.Scan(&role.ID, &role.Name, &description, &role.CreatedAt, &role.UpdatedAt) + if err != nil { + if errors.Is(err, sql.ErrNoRows) { + return role, util.NewRecordNotFoundError(err.Error()) + } + return role, err + } + if description.Valid { + role.Description = description.String + } + + return role, nil +} + func getGroupFromDbRow(row sqlScanner) (Group, error) { var group Group - var userSettings, description sql.NullString + var description sql.NullString + var userSettings []byte err := row.Scan(&group.ID, &group.Name, &description, &group.CreatedAt, &group.UpdatedAt, &userSettings) if err != nil { @@ -1766,12 +1905,11 @@ func getGroupFromDbRow(row sqlScanner) (Group, error) { if description.Valid { group.Description = description.String } - if userSettings.Valid { - var settings GroupUserSettings - err = json.Unmarshal([]byte(userSettings.String), &settings) - if err == nil { - group.UserSettings = settings - } + + var settings GroupUserSettings + err = json.Unmarshal(userSettings, &settings) + if err == nil { + group.UserSettings = settings } return group, nil @@ -1779,19 +1917,16 @@ func getGroupFromDbRow(row sqlScanner) (Group, error) { func getUserFromDbRow(row sqlScanner) (User, error) { var user User - var permissions sql.NullString var password sql.NullString - var publicKey sql.NullString - var filters sql.NullString - var fsConfig sql.NullString - var additionalInfo, description, email sql.NullString + var permissions, publicKey, filters, fsConfig []byte + var additionalInfo, description, email, role sql.NullString err := row.Scan(&user.ID, &user.Username, &password, &publicKey, &user.HomeDir, &user.UID, &user.GID, &user.MaxSessions, &user.QuotaSize, &user.QuotaFiles, &permissions, &user.UsedQuotaSize, &user.UsedQuotaFiles, &user.LastQuotaUpdate, &user.UploadBandwidth, &user.DownloadBandwidth, &user.ExpirationDate, &user.LastLogin, &user.Status, &filters, &fsConfig, &additionalInfo, &description, &email, &user.CreatedAt, &user.UpdatedAt, &user.UploadDataTransfer, &user.DownloadDataTransfer, &user.TotalDataTransfer, &user.UsedUploadDataTransfer, &user.UsedDownloadDataTransfer, &user.DeletedAt, &user.FirstDownload, - &user.FirstUpload) + &user.FirstUpload, &role) if err != nil { if errors.Is(err, sql.ErrNoRows) { return user, util.NewRecordNotFoundError(err.Error()) @@ -1801,38 +1936,30 @@ func getUserFromDbRow(row sqlScanner) (User, error) { if password.Valid { user.Password = password.String } + perms := make(map[string][]string) + err = json.Unmarshal(permissions, &perms) + if err != nil { + providerLog(logger.LevelError, "unable to deserialize permissions for user %#v: %v", user.Username, err) + return user, fmt.Errorf("unable to deserialize permissions for user %#v: %v", user.Username, err) + } + user.Permissions = perms // we can have a empty string or an invalid json in null string // so we do a relaxed test if the field is optional, for example we // populate public keys only if unmarshal does not return an error - if publicKey.Valid { - var list []string - err = json.Unmarshal([]byte(publicKey.String), &list) - if err == nil { - user.PublicKeys = list - } + var pKeys []string + err = json.Unmarshal(publicKey, &pKeys) + if err == nil { + user.PublicKeys = pKeys } - if permissions.Valid { - perms := make(map[string][]string) - err = json.Unmarshal([]byte(permissions.String), &perms) - if err != nil { - providerLog(logger.LevelError, "unable to deserialize permissions for user %#v: %v", user.Username, err) - return user, fmt.Errorf("unable to deserialize permissions for user %#v: %v", user.Username, err) - } - user.Permissions = perms + var userFilters UserFilters + err = json.Unmarshal(filters, &userFilters) + if err == nil { + user.Filters = userFilters } - if filters.Valid { - var userFilters UserFilters - err = json.Unmarshal([]byte(filters.String), &userFilters) - if err == nil { - user.Filters = userFilters - } - } - if fsConfig.Valid { - var fs vfs.Filesystem - err = json.Unmarshal([]byte(fsConfig.String), &fs) - if err == nil { - user.FsConfig = fs - } + var fs vfs.Filesystem + err = json.Unmarshal(fsConfig, &fs) + if err == nil { + user.FsConfig = fs } if additionalInfo.Valid { user.AdditionalInfo = additionalInfo.String @@ -1843,6 +1970,9 @@ func getUserFromDbRow(row sqlScanner) (User, error) { if email.Valid { user.Email = email.String } + if role.Valid { + user.Role = role.String + } user.SetEmptySecretsIfNil() return user, nil } @@ -1851,7 +1981,8 @@ func sqlCommonGetFolder(ctx context.Context, name string, dbHandle sqlQuerier) ( var folder vfs.BaseVirtualFolder q := getFolderByNameQuery() row := dbHandle.QueryRowContext(ctx, q, name) - var mappedPath, description, fsConfig sql.NullString + var mappedPath, description sql.NullString + var fsConfig []byte err := row.Scan(&folder.ID, &mappedPath, &folder.UsedQuotaSize, &folder.UsedQuotaFiles, &folder.LastQuotaUpdate, &folder.Name, &description, &fsConfig) if err != nil { @@ -1866,12 +1997,10 @@ func sqlCommonGetFolder(ctx context.Context, name string, dbHandle sqlQuerier) ( if description.Valid { folder.Description = description.String } - if fsConfig.Valid { - var fs vfs.Filesystem - err = json.Unmarshal([]byte(fsConfig.String), &fs) - if err == nil { - folder.FsConfig = fs - } + var fs vfs.Filesystem + err = json.Unmarshal(fsConfig, &fs) + if err == nil { + folder.FsConfig = fs } return folder, err } @@ -1971,7 +2100,8 @@ func sqlCommonDumpFolders(dbHandle sqlQuerier) ([]vfs.BaseVirtualFolder, error) defer rows.Close() for rows.Next() { var folder vfs.BaseVirtualFolder - var mappedPath, description, fsConfig sql.NullString + var mappedPath, description sql.NullString + var fsConfig []byte err = rows.Scan(&folder.ID, &mappedPath, &folder.UsedQuotaSize, &folder.UsedQuotaFiles, &folder.LastQuotaUpdate, &folder.Name, &description, &fsConfig) if err != nil { @@ -1983,12 +2113,10 @@ func sqlCommonDumpFolders(dbHandle sqlQuerier) ([]vfs.BaseVirtualFolder, error) if description.Valid { folder.Description = description.String } - if fsConfig.Valid { - var fs vfs.Filesystem - err = json.Unmarshal([]byte(fsConfig.String), &fs) - if err == nil { - folder.FsConfig = fs - } + var fs vfs.Filesystem + err = json.Unmarshal(fsConfig, &fs) + if err == nil { + folder.FsConfig = fs } folders = append(folders, folder) } @@ -2014,7 +2142,8 @@ func sqlCommonGetFolders(limit, offset int, order string, minimal bool, dbHandle return folders, err } } else { - var mappedPath, description, fsConfig sql.NullString + var mappedPath, description sql.NullString + var fsConfig []byte err = rows.Scan(&folder.ID, &mappedPath, &folder.UsedQuotaSize, &folder.UsedQuotaFiles, &folder.LastQuotaUpdate, &folder.Name, &description, &fsConfig) if err != nil { @@ -2026,12 +2155,10 @@ func sqlCommonGetFolders(limit, offset int, order string, minimal bool, dbHandle if description.Valid { folder.Description = description.String } - if fsConfig.Valid { - var fs vfs.Filesystem - err = json.Unmarshal([]byte(fsConfig.String), &fs) - if err == nil { - folder.FsConfig = fs - } + var fs vfs.Filesystem + err = json.Unmarshal(fsConfig, &fs) + if err == nil { + folder.FsConfig = fs } } folder.PrepareForRendering() @@ -2297,7 +2424,8 @@ func getUsersWithVirtualFolders(ctx context.Context, users []User, dbHandle sqlQ for rows.Next() { var folder vfs.VirtualFolder var userID int64 - var mappedPath, fsConfig, description sql.NullString + var mappedPath, description sql.NullString + var fsConfig []byte err = rows.Scan(&folder.ID, &folder.Name, &mappedPath, &folder.UsedQuotaSize, &folder.UsedQuotaFiles, &folder.LastQuotaUpdate, &folder.VirtualPath, &folder.QuotaSize, &folder.QuotaFiles, &userID, &fsConfig, &description) @@ -2310,12 +2438,10 @@ func getUsersWithVirtualFolders(ctx context.Context, users []User, dbHandle sqlQ if description.Valid { folder.Description = description.String } - if fsConfig.Valid { - var fs vfs.Filesystem - err = json.Unmarshal([]byte(fsConfig.String), &fs) - if err == nil { - folder.FsConfig = fs - } + var fs vfs.Filesystem + err = json.Unmarshal(fsConfig, &fs) + if err == nil { + folder.FsConfig = fs } usersVirtualFolders[userID] = append(usersVirtualFolders[userID], folder) } @@ -2390,6 +2516,28 @@ func getGroupWithUsers(ctx context.Context, group Group, dbHandle sqlQuerier) (G return groups[0], err } +func getRoleWithUsers(ctx context.Context, role Role, dbHandle sqlQuerier) (Role, error) { + roles, err := getRolesWithUsers(ctx, []Role{role}, dbHandle) + if err != nil { + return role, err + } + if len(roles) == 0 { + return role, errors.New("unable to associate users with role") + } + return roles[0], err +} + +func getRoleWithAdmins(ctx context.Context, role Role, dbHandle sqlQuerier) (Role, error) { + roles, err := getRolesWithAdmins(ctx, []Role{role}, dbHandle) + if err != nil { + return role, err + } + if len(roles) == 0 { + return role, errors.New("unable to associate admins with role") + } + return roles[0], err +} + func getGroupWithAdmins(ctx context.Context, group Group, dbHandle sqlQuerier) (Group, error) { groups, err := getGroupsWithAdmins(ctx, []Group{group}, dbHandle) if err != nil { @@ -2427,7 +2575,8 @@ func getGroupsWithVirtualFolders(ctx context.Context, groups []Group, dbHandle s for rows.Next() { var groupID int64 var folder vfs.VirtualFolder - var mappedPath, fsConfig, description sql.NullString + var mappedPath, description sql.NullString + var fsConfig []byte err = rows.Scan(&folder.ID, &folder.Name, &mappedPath, &folder.UsedQuotaSize, &folder.UsedQuotaFiles, &folder.LastQuotaUpdate, &folder.VirtualPath, &folder.QuotaSize, &folder.QuotaFiles, &groupID, &fsConfig, &description) @@ -2440,12 +2589,10 @@ func getGroupsWithVirtualFolders(ctx context.Context, groups []Group, dbHandle s if description.Valid { folder.Description = description.String } - if fsConfig.Valid { - var fs vfs.Filesystem - err = json.Unmarshal([]byte(fsConfig.String), &fs) - if err == nil { - folder.FsConfig = fs - } + var fs vfs.Filesystem + err = json.Unmarshal(fsConfig, &fs) + if err == nil { + folder.FsConfig = fs } groupsVirtualFolders[groupID] = append(groupsVirtualFolders[groupID], folder) } @@ -2498,6 +2645,71 @@ func getGroupsWithUsers(ctx context.Context, groups []Group, dbHandle sqlQuerier return groups, err } +func getRolesWithUsers(ctx context.Context, roles []Role, dbHandle sqlQuerier) ([]Role, error) { + if len(roles) == 0 { + return roles, nil + } + rows, err := dbHandle.QueryContext(ctx, getUsersWithRolesQuery(roles)) + if err != nil { + return nil, err + } + defer rows.Close() + + rolesUsers := make(map[int64][]string) + for rows.Next() { + var roleID int64 + var username string + err = rows.Scan(&roleID, &username) + if err != nil { + return roles, err + } + rolesUsers[roleID] = append(rolesUsers[roleID], username) + } + err = rows.Err() + if err != nil { + return roles, err + } + if len(rolesUsers) > 0 { + for idx := range roles { + ref := &roles[idx] + ref.Users = rolesUsers[ref.ID] + } + } + return roles, nil +} + +func getRolesWithAdmins(ctx context.Context, roles []Role, dbHandle sqlQuerier) ([]Role, error) { + if len(roles) == 0 { + return roles, nil + } + rows, err := dbHandle.QueryContext(ctx, getAdminsWithRolesQuery(roles)) + if err != nil { + return nil, err + } + defer rows.Close() + + rolesAdmins := make(map[int64][]string) + for rows.Next() { + var roleID int64 + var username string + err = rows.Scan(&roleID, &username) + if err != nil { + return roles, err + } + rolesAdmins[roleID] = append(rolesAdmins[roleID], username) + } + if err = rows.Err(); err != nil { + return roles, err + } + if len(rolesAdmins) > 0 { + for idx := range roles { + ref := &roles[idx] + ref.Admins = rolesAdmins[ref.ID] + } + } + return roles, nil +} + func getGroupsWithAdmins(ctx context.Context, groups []Group, dbHandle sqlQuerier) ([]Group, error) { if len(groups) == 0 { return groups, nil @@ -2701,7 +2913,7 @@ func getRelatedValuesForAPIKeys(ctx context.Context, apiKeys []APIKey, dbHandle func sqlCommonGetAPIKeyRelatedIDs(apiKey *APIKey) (sql.NullInt64, sql.NullInt64, error) { var userID, adminID sql.NullInt64 if apiKey.User != "" { - u, err := provider.userExists(apiKey.User) + u, err := provider.userExists(apiKey.User, "") if err != nil { return userID, adminID, util.NewValidationError(fmt.Sprintf("unable to validate user %v", apiKey.User)) } diff --git a/internal/dataprovider/sqlite.go b/internal/dataprovider/sqlite.go index 28ccc1e1..a151c90b 100644 --- a/internal/dataprovider/sqlite.go +++ b/internal/dataprovider/sqlite.go @@ -24,6 +24,7 @@ import ( "errors" "fmt" "path/filepath" + "strings" "time" // we import go-sqlite3 here to be able to disable SQLite support using a build tag @@ -55,6 +56,7 @@ DROP TABLE IF EXISTS "{{rules_actions_mapping}}"; DROP TABLE IF EXISTS "{{events_rules}}"; DROP TABLE IF EXISTS "{{events_actions}}"; DROP TABLE IF EXISTS "{{tasks}}"; +DROP TABLE IF EXISTS "{{roles}}"; DROP TABLE IF EXISTS "{{schema_version}}"; ` sqliteInitialSQL = `CREATE TABLE "{{schema_version}}" ("id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, "version" integer NOT NULL); @@ -159,6 +161,19 @@ CREATE INDEX "{{prefix}}rules_actions_mapping_order_idx" ON "{{rules_actions_map CREATE INDEX "{{prefix}}admins_groups_mapping_admin_id_idx" ON "{{admins_groups_mapping}}" ("admin_id"); CREATE INDEX "{{prefix}}admins_groups_mapping_group_id_idx" ON "{{admins_groups_mapping}}" ("group_id"); INSERT INTO {{schema_version}} (version) VALUES (23); +` + sqliteV24SQL = `CREATE TABLE "{{roles}}" ("id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, "name" varchar(255) NOT NULL UNIQUE, +"description" varchar(512) NULL, "created_at" bigint NOT NULL, "updated_at" bigint NOT NULL); +ALTER TABLE "{{users}}" ADD COLUMN "role_id" integer NULL REFERENCES "{{roles}}" ("id") ON DELETE SET NULL; +ALTER TABLE "{{admins}}" ADD COLUMN "role_id" integer NULL REFERENCES "{{roles}}" ("id") ON DELETE NO ACTION; +CREATE INDEX "{{prefix}}users_role_id_idx" ON "{{users}}" ("role_id"); +CREATE INDEX "{{prefix}}admins_role_id_idx" ON "{{admins}}" ("role_id"); +` + sqliteV24DownSQL = `DROP INDEX "{{prefix}}users_role_id_idx"; +DROP INDEX "{{prefix}}admins_role_id_idx"; +ALTER TABLE "{{users}}" DROP COLUMN role_id; +ALTER TABLE "{{admins}}" DROP COLUMN role_id; +DROP TABLE "{{roles}}"; ` ) @@ -239,8 +254,8 @@ func (p *SQLiteProvider) updateAdminLastLogin(username string) error { return sqlCommonUpdateAdminLastLogin(username, p.dbHandle) } -func (p *SQLiteProvider) userExists(username string) (User, error) { - return sqlCommonGetUserByUsername(username, p.dbHandle) +func (p *SQLiteProvider) userExists(username, role string) (User, error) { + return sqlCommonGetUserByUsername(username, role, p.dbHandle) } func (p *SQLiteProvider) addUser(user *User) error { @@ -267,8 +282,8 @@ func (p *SQLiteProvider) getRecentlyUpdatedUsers(after int64) ([]User, error) { return sqlCommonGetRecentlyUpdatedUsers(after, p.dbHandle) } -func (p *SQLiteProvider) getUsers(limit int, offset int, order string) ([]User, error) { - return sqlCommonGetUsers(limit, offset, order, p.dbHandle) +func (p *SQLiteProvider) getUsers(limit int, offset int, order, role string) ([]User, error) { + return sqlCommonGetUsers(limit, offset, order, role, p.dbHandle) } func (p *SQLiteProvider) getUsersForQuotaCheck(toFetch map[string]bool) ([]User, error) { @@ -581,6 +596,30 @@ func (*SQLiteProvider) cleanupNodes() error { return ErrNotImplemented } +func (p *SQLiteProvider) roleExists(name string) (Role, error) { + return sqlCommonGetRoleByName(name, p.dbHandle) +} + +func (p *SQLiteProvider) addRole(role *Role) error { + return sqlCommonAddRole(role, p.dbHandle) +} + +func (p *SQLiteProvider) updateRole(role *Role) error { + return sqlCommonUpdateRole(role, p.dbHandle) +} + +func (p *SQLiteProvider) deleteRole(role Role) error { + return sqlCommonDeleteRole(role, p.dbHandle) +} + +func (p *SQLiteProvider) getRoles(limit int, offset int, order string, minimal bool) ([]Role, error) { + return sqlCommonGetRoles(limit, offset, order, minimal, p.dbHandle) +} + +func (p *SQLiteProvider) dumpRoles() ([]Role, error) { + return sqlCommonDumpRoles(p.dbHandle) +} + func (p *SQLiteProvider) setFirstDownloadTimestamp(username string) error { return sqlCommonSetFirstDownloadTimestamp(username, p.dbHandle) } @@ -628,6 +667,8 @@ func (p *SQLiteProvider) migrateDatabase() error { //nolint:dupl providerLog(logger.LevelError, "%v", err) logger.ErrorToConsole("%v", err) return err + case version == 23: + return updateSQLiteDatabaseFromV23(p.dbHandle) default: if version > sqlDatabaseVersion { providerLog(logger.LevelError, "database schema version %d is newer than the supported one: %d", version, @@ -650,6 +691,8 @@ func (p *SQLiteProvider) revertDatabase(targetVersion int) error { } switch dbVersion.Version { + case 24: + return downgradeSQLiteDatabaseFromV24(p.dbHandle) default: return fmt.Errorf("database schema version not handled: %d", dbVersion.Version) } @@ -660,6 +703,34 @@ func (p *SQLiteProvider) resetDatabase() error { return sqlCommonExecSQLAndUpdateDBVersion(p.dbHandle, []string{sql}, 0, false) } +func updateSQLiteDatabaseFromV23(dbHandle *sql.DB) error { + return updateSQLiteDatabaseFrom23To24(dbHandle) +} + +func downgradeSQLiteDatabaseFromV24(dbHandle *sql.DB) error { + return downgradeSQLiteDatabaseFrom24To23(dbHandle) +} + +func updateSQLiteDatabaseFrom23To24(dbHandle *sql.DB) error { + logger.InfoToConsole("updating database schema version: 23 -> 24") + providerLog(logger.LevelInfo, "updating database schema version: 23 -> 24") + sql := strings.ReplaceAll(sqliteV24SQL, "{{roles}}", sqlTableRoles) + sql = strings.ReplaceAll(sql, "{{admins}}", sqlTableAdmins) + sql = strings.ReplaceAll(sql, "{{users}}", sqlTableUsers) + sql = strings.ReplaceAll(sql, "{{prefix}}", config.SQLTablesPrefix) + return sqlCommonExecSQLAndUpdateDBVersion(dbHandle, []string{sql}, 24, true) +} + +func downgradeSQLiteDatabaseFrom24To23(dbHandle *sql.DB) error { + logger.InfoToConsole("downgrading database schema version: 24 -> 23") + providerLog(logger.LevelInfo, "downgrading database schema version: 24 -> 23") + sql := strings.ReplaceAll(sqliteV24DownSQL, "{{roles}}", sqlTableRoles) + sql = strings.ReplaceAll(sql, "{{admins}}", sqlTableAdmins) + sql = strings.ReplaceAll(sql, "{{users}}", sqlTableUsers) + sql = strings.ReplaceAll(sql, "{{prefix}}", config.SQLTablesPrefix) + return sqlCommonExecSQLAndUpdateDBVersion(dbHandle, []string{sql}, 23, false) +} + /*func setPragmaFK(dbHandle *sql.DB, value string) error { ctx, cancel := context.WithTimeout(context.Background(), longSQLQueryTimeout) defer cancel() diff --git a/internal/dataprovider/sqlqueries.go b/internal/dataprovider/sqlqueries.go index 2ae1ed30..6c9aa96c 100644 --- a/internal/dataprovider/sqlqueries.go +++ b/internal/dataprovider/sqlqueries.go @@ -23,17 +23,19 @@ import ( ) const ( - selectUserFields = "id,username,password,public_keys,home_dir,uid,gid,max_sessions,quota_size,quota_files,permissions,used_quota_size," + - "used_quota_files,last_quota_update,upload_bandwidth,download_bandwidth,expiration_date,last_login,status,filters,filesystem," + - "additional_info,description,email,created_at,updated_at,upload_data_transfer,download_data_transfer,total_data_transfer," + - "used_upload_data_transfer,used_download_data_transfer,deleted_at,first_download,first_upload" + selectUserFields = "u.id,u.username,u.password,u.public_keys,u.home_dir,u.uid,u.gid,u.max_sessions,u.quota_size,u.quota_files," + + "u.permissions,u.used_quota_size,u.used_quota_files,u.last_quota_update,u.upload_bandwidth,u.download_bandwidth," + + "u.expiration_date,u.last_login,u.status,u.filters,u.filesystem,u.additional_info,u.description,u.email,u.created_at," + + "u.updated_at,u.upload_data_transfer,u.download_data_transfer,u.total_data_transfer," + + "u.used_upload_data_transfer,u.used_download_data_transfer,u.deleted_at,u.first_download,u.first_upload,r.name" selectFolderFields = "id,path,used_quota_size,used_quota_files,last_quota_update,name,description,filesystem" - selectAdminFields = "id,username,password,status,email,permissions,filters,additional_info,description,created_at,updated_at,last_login" + selectAdminFields = "a.id,a.username,a.password,a.status,a.email,a.permissions,a.filters,a.additional_info,a.description,a.created_at,a.updated_at,a.last_login,r.name" selectAPIKeyFields = "key_id,name,api_key,scope,created_at,updated_at,last_use_at,expires_at,description,user_id,admin_id" selectShareFields = "s.share_id,s.name,s.description,s.scope,s.paths,u.username,s.created_at,s.updated_at,s.last_use_at," + "s.expires_at,s.password,s.max_tokens,s.used_tokens,s.allow_from" selectGroupFields = "id,name,description,created_at,updated_at,user_settings" selectEventActionFields = "id,name,description,type,options" + selectRoleFields = "id,name,description,created_at,updated_at" selectMinimalFields = "id,name" ) @@ -65,6 +67,13 @@ func getSelectEventRuleFields() string { return `id,name,description,created_at,updated_at,"trigger",conditions,deleted_at` } +func getCoalesceDefaultForRole(role string) string { + if role != "" { + return "0" + } + return "NULL" +} + func getAddSessionQuery() string { if config.Driver == MySQLDataProviderName { return fmt.Sprintf("INSERT INTO %s (`key`,`data`,`type`,`timestamp`) VALUES (%s,%s,%s,%s) "+ @@ -170,6 +179,75 @@ func getDefenderEventsCleanupQuery() string { return fmt.Sprintf(`DELETE FROM %s WHERE date_time < %s`, sqlTableDefenderEvents, sqlPlaceholders[0]) } +func getRoleByNameQuery() string { + return fmt.Sprintf(`SELECT %s FROM %s WHERE name = %s`, selectRoleFields, sqlTableRoles, + sqlPlaceholders[0]) +} + +func getRolesQuery(order string, minimal bool) string { + var fieldSelection string + if minimal { + fieldSelection = selectMinimalFields + } else { + fieldSelection = selectRoleFields + } + return fmt.Sprintf(`SELECT %s FROM %s ORDER BY name %s LIMIT %s OFFSET %s`, fieldSelection, + sqlTableRoles, order, sqlPlaceholders[0], sqlPlaceholders[1]) +} + +func getUsersWithRolesQuery(roles []Role) string { + var sb strings.Builder + for _, r := range roles { + if sb.Len() == 0 { + sb.WriteString("(") + } else { + sb.WriteString(",") + } + sb.WriteString(strconv.FormatInt(r.ID, 10)) + } + if sb.Len() > 0 { + sb.WriteString(")") + } + return fmt.Sprintf(`SELECT r.id, u.username FROM %s u INNER JOIN %s r ON u.role_id = r.id WHERE u.role_id IN %s`, + sqlTableUsers, sqlTableRoles, sb.String()) +} + +func getAdminsWithRolesQuery(roles []Role) string { + var sb strings.Builder + for _, r := range roles { + if sb.Len() == 0 { + sb.WriteString("(") + } else { + sb.WriteString(",") + } + sb.WriteString(strconv.FormatInt(r.ID, 10)) + } + if sb.Len() > 0 { + sb.WriteString(")") + } + return fmt.Sprintf(`SELECT r.id, a.username FROM %s a INNER JOIN %s r ON a.role_id = r.id WHERE a.role_id IN %s`, + sqlTableAdmins, sqlTableRoles, sb.String()) +} + +func getDumpRolesQuery() string { + return fmt.Sprintf(`SELECT %s FROM %s`, selectRoleFields, sqlTableRoles) +} + +func getAddRoleQuery() string { + return fmt.Sprintf(`INSERT INTO %s (name,description,created_at,updated_at) + VALUES (%s,%s,%s,%s)`, sqlTableRoles, sqlPlaceholders[0], sqlPlaceholders[1], + sqlPlaceholders[2], sqlPlaceholders[3]) +} + +func getUpdateRoleQuery() string { + return fmt.Sprintf(`UPDATE %s SET description=%s,updated_at=%s + WHERE name = %s`, sqlTableRoles, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2]) +} + +func getDeleteRoleQuery() string { + return fmt.Sprintf(`DELETE FROM %s WHERE name = %s`, sqlTableRoles, sqlPlaceholders[0]) +} + func getGroupByNameQuery() string { return fmt.Sprintf(`SELECT %s FROM %s WHERE name = %s`, selectGroupFields, getSQLQuotedName(sqlTableGroups), sqlPlaceholders[0]) @@ -244,29 +322,33 @@ func getDeleteGroupQuery() string { } func getAdminByUsernameQuery() string { - return fmt.Sprintf(`SELECT %s FROM %s WHERE username = %s`, selectAdminFields, sqlTableAdmins, sqlPlaceholders[0]) + return fmt.Sprintf(`SELECT %s FROM %s a LEFT JOIN %s r on r.id = a.role_id WHERE a.username = %s`, + selectAdminFields, sqlTableAdmins, sqlTableRoles, sqlPlaceholders[0]) } func getAdminsQuery(order string) string { - return fmt.Sprintf(`SELECT %s FROM %s ORDER BY username %s LIMIT %s OFFSET %s`, selectAdminFields, sqlTableAdmins, - order, sqlPlaceholders[0], sqlPlaceholders[1]) + return fmt.Sprintf(`SELECT %s FROM %s a LEFT JOIN %s r on r.id = a.role_id ORDER BY a.username %s LIMIT %s OFFSET %s`, + selectAdminFields, sqlTableAdmins, sqlTableRoles, order, sqlPlaceholders[0], sqlPlaceholders[1]) } func getDumpAdminsQuery() string { - return fmt.Sprintf(`SELECT %s FROM %s`, selectAdminFields, sqlTableAdmins) + return fmt.Sprintf(`SELECT %s FROM %s a LEFT JOIN %s r on r.id = a.role_id`, + selectAdminFields, sqlTableAdmins, sqlTableRoles) } -func getAddAdminQuery() string { - return fmt.Sprintf(`INSERT INTO %s (username,password,status,email,permissions,filters,additional_info,description,created_at,updated_at,last_login) - VALUES (%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,0)`, sqlTableAdmins, sqlPlaceholders[0], sqlPlaceholders[1], - sqlPlaceholders[2], sqlPlaceholders[3], sqlPlaceholders[4], sqlPlaceholders[5], sqlPlaceholders[6], sqlPlaceholders[7], - sqlPlaceholders[8], sqlPlaceholders[9]) +func getAddAdminQuery(role string) string { + return fmt.Sprintf(`INSERT INTO %s (username,password,status,email,permissions,filters,additional_info,description,created_at,updated_at,last_login,role_id) + VALUES (%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,0,COALESCE((SELECT id from %s WHERE name = %s),%s))`, + sqlTableAdmins, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3], sqlPlaceholders[4], + sqlPlaceholders[5], sqlPlaceholders[6], sqlPlaceholders[7], sqlPlaceholders[8], sqlPlaceholders[9], + sqlTableRoles, sqlPlaceholders[10], getCoalesceDefaultForRole(role)) } -func getUpdateAdminQuery() string { - return fmt.Sprintf(`UPDATE %s SET password=%s,status=%s,email=%s,permissions=%s,filters=%s,additional_info=%s,description=%s,updated_at=%s - WHERE username = %s`, sqlTableAdmins, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], - sqlPlaceholders[3], sqlPlaceholders[4], sqlPlaceholders[5], sqlPlaceholders[6], sqlPlaceholders[7], sqlPlaceholders[8]) +func getUpdateAdminQuery(role string) string { + return fmt.Sprintf(`UPDATE %s SET password=%s,status=%s,email=%s,permissions=%s,filters=%s,additional_info=%s,description=%s,updated_at=%s, + role_id=COALESCE((SELECT id from %s WHERE name = %s),%s) WHERE username = %s`, sqlTableAdmins, sqlPlaceholders[0], + sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3], sqlPlaceholders[4], sqlPlaceholders[5], sqlPlaceholders[6], + sqlPlaceholders[7], sqlTableRoles, sqlPlaceholders[8], getCoalesceDefaultForRole(role), sqlPlaceholders[9]) } func getDeleteAdminQuery() string { @@ -393,14 +475,25 @@ func getRelatedAdminsForAPIKeysQuery(apiKeys []APIKey) string { return fmt.Sprintf(`SELECT id,username FROM %s WHERE id IN %s`, sqlTableAdmins, sb.String()) } -func getUserByUsernameQuery() string { - return fmt.Sprintf(`SELECT %s FROM %s WHERE username = %s AND deleted_at = 0`, - selectUserFields, sqlTableUsers, sqlPlaceholders[0]) +func getUserByUsernameQuery(role string) string { + if role == "" { + return fmt.Sprintf(`SELECT %s FROM %s u LEFT JOIN %s r on r.id = u.role_id WHERE u.username = %s AND u.deleted_at = 0`, + selectUserFields, sqlTableUsers, sqlTableRoles, sqlPlaceholders[0]) + } + return fmt.Sprintf(`SELECT %s FROM %s u LEFT JOIN %s r on r.id = u.role_id WHERE u.username = %s AND u.deleted_at = 0 + AND u.role_id is NOT NULL AND r.name = %s`, + selectUserFields, sqlTableUsers, sqlTableRoles, sqlPlaceholders[0], sqlPlaceholders[1]) } -func getUsersQuery(order string) string { - return fmt.Sprintf(`SELECT %s FROM %s WHERE deleted_at = 0 ORDER BY username %s LIMIT %s OFFSET %s`, - selectUserFields, sqlTableUsers, order, sqlPlaceholders[0], sqlPlaceholders[1]) +func getUsersQuery(order, role string) string { + if role == "" { + return fmt.Sprintf(`SELECT %s FROM %s u LEFT JOIN %s r on r.id = u.role_id WHERE + u.deleted_at = 0 ORDER BY u.username %s LIMIT %s OFFSET %s`, + selectUserFields, sqlTableUsers, sqlTableRoles, order, sqlPlaceholders[0], sqlPlaceholders[1]) + } + return fmt.Sprintf(`SELECT %s FROM %s u LEFT JOIN %s r on r.id = u.role_id WHERE + u.deleted_at = 0 AND u.role_id is NOT NULL AND r.name = %s ORDER BY u.username %s LIMIT %s OFFSET %s`, + selectUserFields, sqlTableUsers, sqlTableRoles, sqlPlaceholders[0], order, sqlPlaceholders[1], sqlPlaceholders[2]) } func getUsersForQuotaCheckQuery(numArgs int) string { @@ -422,12 +515,13 @@ func getUsersForQuotaCheckQuery(numArgs int) string { } func getRecentlyUpdatedUsersQuery() string { - return fmt.Sprintf(`SELECT %s FROM %s WHERE updated_at >= %s OR deleted_at > 0`, - selectUserFields, sqlTableUsers, sqlPlaceholders[0]) + return fmt.Sprintf(`SELECT %s FROM %s u LEFT JOIN %s r on r.id = u.role_id WHERE u.updated_at >= %s OR u.deleted_at > 0`, + selectUserFields, sqlTableUsers, sqlTableRoles, sqlPlaceholders[0]) } func getDumpUsersQuery() string { - return fmt.Sprintf(`SELECT %s FROM %s WHERE deleted_at = 0`, selectUserFields, sqlTableUsers) + return fmt.Sprintf(`SELECT %s FROM %s u LEFT JOIN %s r on r.id = u.role_id WHERE u.deleted_at = 0`, + selectUserFields, sqlTableUsers, sqlTableRoles) } func getDumpFoldersQuery() string { @@ -490,29 +584,32 @@ func getQuotaQuery() string { sqlTableUsers, sqlPlaceholders[0]) } -func getAddUserQuery() string { +func getAddUserQuery(role string) string { return fmt.Sprintf(`INSERT INTO %s (username,password,public_keys,home_dir,uid,gid,max_sessions,quota_size,quota_files,permissions, used_quota_size,used_quota_files,last_quota_update,upload_bandwidth,download_bandwidth,status,last_login,expiration_date,filters, filesystem,additional_info,description,email,created_at,updated_at,upload_data_transfer,download_data_transfer,total_data_transfer, - used_upload_data_transfer,used_download_data_transfer,deleted_at,first_download,first_upload) - VALUES (%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,0,0,0,%s,%s,%s,0,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,0,0,0,0,0)`, + used_upload_data_transfer,used_download_data_transfer,deleted_at,first_download,first_upload,role_id) + VALUES (%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,0,0,0,%s,%s,%s,0,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,0,0,0,0,0, + COALESCE((SELECT id from %s WHERE name=%s),%s))`, sqlTableUsers, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3], sqlPlaceholders[4], sqlPlaceholders[5], sqlPlaceholders[6], sqlPlaceholders[7], sqlPlaceholders[8], sqlPlaceholders[9], sqlPlaceholders[10], sqlPlaceholders[11], sqlPlaceholders[12], sqlPlaceholders[13], sqlPlaceholders[14], sqlPlaceholders[15], sqlPlaceholders[16], sqlPlaceholders[17], sqlPlaceholders[18], sqlPlaceholders[19], - sqlPlaceholders[20], sqlPlaceholders[21], sqlPlaceholders[22], sqlPlaceholders[23]) + sqlPlaceholders[20], sqlPlaceholders[21], sqlPlaceholders[22], sqlPlaceholders[23], sqlTableRoles, + sqlPlaceholders[24], getCoalesceDefaultForRole(role)) } -func getUpdateUserQuery() string { +func getUpdateUserQuery(role string) string { return fmt.Sprintf(`UPDATE %s SET password=%s,public_keys=%s,home_dir=%s,uid=%s,gid=%s,max_sessions=%s,quota_size=%s, quota_files=%s,permissions=%s,upload_bandwidth=%s,download_bandwidth=%s,status=%s,expiration_date=%s,filters=%s,filesystem=%s, additional_info=%s,description=%s,email=%s,updated_at=%s,upload_data_transfer=%s,download_data_transfer=%s, - total_data_transfer=%s WHERE id = %s`, + total_data_transfer=%s,role_id=COALESCE((SELECT id from %s WHERE name=%s),%s) WHERE id = %s`, sqlTableUsers, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3], sqlPlaceholders[4], sqlPlaceholders[5], sqlPlaceholders[6], sqlPlaceholders[7], sqlPlaceholders[8], sqlPlaceholders[9], sqlPlaceholders[10], sqlPlaceholders[11], sqlPlaceholders[12], sqlPlaceholders[13], sqlPlaceholders[14], sqlPlaceholders[15], sqlPlaceholders[16], sqlPlaceholders[17], sqlPlaceholders[18], sqlPlaceholders[19], - sqlPlaceholders[20], sqlPlaceholders[21], sqlPlaceholders[22]) + sqlPlaceholders[20], sqlPlaceholders[21], sqlTableRoles, sqlPlaceholders[22], getCoalesceDefaultForRole(role), + sqlPlaceholders[23]) } func getUpdateUserPasswordQuery() string { diff --git a/internal/dataprovider/user.go b/internal/dataprovider/user.go index 1a12e0e0..96a58608 100644 --- a/internal/dataprovider/user.go +++ b/internal/dataprovider/user.go @@ -390,7 +390,7 @@ func (u *User) setAnonymousSettings() { // RenderAsJSON implements the renderer interface used within plugins func (u *User) RenderAsJSON(reload bool) ([]byte, error) { if reload { - user, err := provider.userExists(u.Username) + user, err := provider.userExists(u.Username, "") if err != nil { providerLog(logger.LevelError, "unable to reload user before rendering as json: %v", err) return nil, err @@ -500,7 +500,7 @@ func (u *User) getForbiddenSFTPSelfUsers(username string) ([]string, error) { if allowSelfConnections == 0 { return nil, nil } - sftpUser, err := UserExists(username) + sftpUser, err := UserExists(username, "") if err == nil { err = sftpUser.LoadAndApplyGroupSettings() } @@ -1825,6 +1825,13 @@ func (u *User) removeDuplicatesAfterGroupMerge() { u.groupSettingsApplied = true } +func (u *User) hasRole(role string) bool { + if role == "" { + return true + } + return role == u.Role +} + func (u *User) getACopy() User { u.SetEmptySecretsIfNil() pubKeys := make([]string, len(u.PublicKeys)) @@ -1899,6 +1906,7 @@ func (u *User) getACopy() User { Description: u.Description, CreatedAt: u.CreatedAt, UpdatedAt: u.UpdatedAt, + Role: u.Role, }, Filters: filters, VirtualFolders: virtualFolders, diff --git a/internal/ftpd/cryptfs_test.go b/internal/ftpd/cryptfs_test.go index e533c670..2200c1f5 100644 --- a/internal/ftpd/cryptfs_test.go +++ b/internal/ftpd/cryptfs_test.go @@ -43,7 +43,7 @@ func TestBasicFTPHandlingCryptFs(t *testing.T) { assert.NoError(t, err) client, err := getFTPClient(user, true, nil) if assert.NoError(t, err) { - assert.Len(t, common.Connections.GetStats(), 1) + assert.Len(t, common.Connections.GetStats(""), 1) testFilePath := filepath.Join(homeBasePath, testFileName) testFileSize := int64(65535) encryptedFileSize, err := getEncryptedFileSize(testFileSize) @@ -131,7 +131,7 @@ func TestBasicFTPHandlingCryptFs(t *testing.T) { assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) - assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, 1*time.Second, 50*time.Millisecond) + assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 50*time.Millisecond) assert.Eventually(t, func() bool { return common.Connections.GetClientConnections() == 0 }, 1000*time.Millisecond, 50*time.Millisecond) } diff --git a/internal/ftpd/ftpd_test.go b/internal/ftpd/ftpd_test.go index 79b49302..a6229f71 100644 --- a/internal/ftpd/ftpd_test.go +++ b/internal/ftpd/ftpd_test.go @@ -519,9 +519,9 @@ func TestBasicFTPHandling(t *testing.T) { client, err := getFTPClient(user, true, nil) if assert.NoError(t, err) { if user.Username == defaultUsername { - assert.Len(t, common.Connections.GetStats(), 1) + assert.Len(t, common.Connections.GetStats(""), 1) } else { - assert.Len(t, common.Connections.GetStats(), 2) + assert.Len(t, common.Connections.GetStats(""), 2) } testFilePath := filepath.Join(homeBasePath, testFileName) testFileSize := int64(65535) @@ -619,7 +619,7 @@ func TestBasicFTPHandling(t *testing.T) { assert.NoError(t, err) err = os.RemoveAll(localUser.GetHomeDir()) assert.NoError(t, err) - assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, 1*time.Second, 50*time.Millisecond) + assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 50*time.Millisecond) assert.Eventually(t, func() bool { return common.Connections.GetClientConnections() == 0 }, 1000*time.Millisecond, 50*time.Millisecond) } @@ -663,7 +663,7 @@ func TestHTTPFs(t *testing.T) { assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) - assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, 1*time.Second, 50*time.Millisecond) + assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 50*time.Millisecond) assert.Eventually(t, func() bool { return common.Connections.GetClientConnections() == 0 }, 1000*time.Millisecond, 50*time.Millisecond) } @@ -1623,7 +1623,7 @@ func TestMaxConnections(t *testing.T) { err = client.Quit() assert.NoError(t, err) } - err = dataprovider.DeleteUser(user.Username, "", "") + err = dataprovider.DeleteUser(user.Username, "", "", "") assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) @@ -1653,7 +1653,7 @@ func TestMaxPerHostConnections(t *testing.T) { err = client.Quit() assert.NoError(t, err) } - err = dataprovider.DeleteUser(user.Username, "", "") + err = dataprovider.DeleteUser(user.Username, "", "", "") assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) @@ -1710,7 +1710,7 @@ func TestRateLimiter(t *testing.T) { assert.Contains(t, err.Error(), "banned client IP") } - err = dataprovider.DeleteUser(user.Username, "", "") + err = dataprovider.DeleteUser(user.Username, "", "", "") assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) @@ -1752,7 +1752,7 @@ func TestDefender(t *testing.T) { assert.Contains(t, err.Error(), "banned client IP") } - err = dataprovider.DeleteUser(user.Username, "", "") + err = dataprovider.DeleteUser(user.Username, "", "", "") assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) @@ -2387,10 +2387,10 @@ func TestClientClose(t *testing.T) { if assert.NoError(t, err) { err = checkBasicFTP(client) assert.NoError(t, err) - stats := common.Connections.GetStats() + stats := common.Connections.GetStats("") if assert.Len(t, stats, 1) { - common.Connections.Close(stats[0].ConnectionID) - assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, + common.Connections.Close(stats[0].ConnectionID, "") + assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 50*time.Millisecond) } } @@ -3671,7 +3671,7 @@ func TestNestedVirtualFolders(t *testing.T) { assert.NoError(t, err) err = os.RemoveAll(localUser.GetHomeDir()) assert.NoError(t, err) - assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, 1*time.Second, 50*time.Millisecond) + assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 50*time.Millisecond) assert.Eventually(t, func() bool { return common.Connections.GetClientConnections() == 0 }, 1000*time.Millisecond, 50*time.Millisecond) } @@ -3818,7 +3818,7 @@ func waitTCPListening(address string) { func waitNoConnections() { time.Sleep(50 * time.Millisecond) - for len(common.Connections.GetStats()) > 0 { + for len(common.Connections.GetStats("")) > 0 { time.Sleep(50 * time.Millisecond) } } diff --git a/internal/ftpd/internal_test.go b/internal/ftpd/internal_test.go index 2418e6a3..b5cbd12d 100644 --- a/internal/ftpd/internal_test.go +++ b/internal/ftpd/internal_test.go @@ -620,12 +620,12 @@ func TestClientVersion(t *testing.T) { } err := common.Connections.Add(connection) assert.NoError(t, err) - stats := common.Connections.GetStats() + stats := common.Connections.GetStats("") if assert.Len(t, stats, 1) { assert.Equal(t, "mock version", stats[0].ClientVersion) common.Connections.Remove(connection.GetID()) } - assert.Len(t, common.Connections.GetStats(), 0) + assert.Len(t, common.Connections.GetStats(""), 0) } func TestDriverMethodsNotImplemented(t *testing.T) { diff --git a/internal/httpd/api_admin.go b/internal/httpd/api_admin.go index bca8c222..2bb1a2dd 100644 --- a/internal/httpd/api_admin.go +++ b/internal/httpd/api_admin.go @@ -147,6 +147,10 @@ func updateAdmin(w http.ResponseWriter, r *http.Request) { sendAPIResponse(w, r, errors.New("you cannot disable yourself"), "", http.StatusBadRequest) return } + if admin.Role != claims.Role { + sendAPIResponse(w, r, errors.New("you cannot add/change your role"), "", http.StatusBadRequest) + return + } } admin.ID = adminID admin.Username = username diff --git a/internal/httpd/api_http_user.go b/internal/httpd/api_http_user.go index d6faf9ca..baa73345 100644 --- a/internal/httpd/api_http_user.go +++ b/internal/httpd/api_http_user.go @@ -40,7 +40,7 @@ func getUserConnection(w http.ResponseWriter, r *http.Request) (*Connection, err sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest) return nil, fmt.Errorf("invalid token claims %w", err) } - user, err := dataprovider.GetUserWithGroupSettings(claims.Username) + user, err := dataprovider.GetUserWithGroupSettings(claims.Username, "") if err != nil { sendAPIResponse(w, r, nil, "Unable to retrieve your user", getRespStatus(err)) return nil, err @@ -405,7 +405,7 @@ func getUserProfile(w http.ResponseWriter, r *http.Request) { sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest) return } - user, err := dataprovider.UserExists(claims.Username) + user, err := dataprovider.UserExists(claims.Username, "") if err != nil { sendAPIResponse(w, r, err, "", getRespStatus(err)) return @@ -434,7 +434,7 @@ func updateUserProfile(w http.ResponseWriter, r *http.Request) { sendAPIResponse(w, r, err, "", http.StatusBadRequest) return } - user, userMerged, err := dataprovider.GetUserVariants(claims.Username) + user, userMerged, err := dataprovider.GetUserVariants(claims.Username, "") if err != nil { sendAPIResponse(w, r, err, "", getRespStatus(err)) return diff --git a/internal/httpd/api_maintenance.go b/internal/httpd/api_maintenance.go index 61b5c938..de4d87a8 100644 --- a/internal/httpd/api_maintenance.go +++ b/internal/httpd/api_maintenance.go @@ -180,6 +180,10 @@ func restoreBackup(content []byte, inputFile string, scanQuota, mode int, execut return util.NewValidationError(fmt.Sprintf("unable to parse backup content: %v", err)) } + if err = RestoreRoles(dump.Roles, inputFile, mode, executor, ipAddress); err != nil { + return err + } + if err = RestoreFolders(dump.Folders, inputFile, mode, scanQuota, executor, ipAddress); err != nil { return err } @@ -404,6 +408,30 @@ func RestoreAdmins(admins []dataprovider.Admin, inputFile string, mode int, exec return nil } +// RestoreRoles restores the specified roles +func RestoreRoles(roles []dataprovider.Role, inputFile string, mode int, executor, ipAddress string) error { + for _, role := range roles { + role := role // pin + r, err := dataprovider.RoleExists(role.Name) + if err == nil { + if mode == 1 { + logger.Debug(logSender, "", "loaddata mode 1, existing role %q not updated", r.Name) + continue + } + role.ID = r.ID + err = dataprovider.UpdateRole(&role, executor, ipAddress) + logger.Debug(logSender, "", "restoring existing role: %q, dump file: %#v, error: %v", role.Name, inputFile, err) + } else { + err = dataprovider.AddRole(&role, executor, ipAddress) + logger.Debug(logSender, "", "adding new role: %q, dump file: %q, error: %v", role.Name, inputFile, err) + } + if err != nil { + return fmt.Errorf("unable to restore role %#v: %w", role.Name, err) + } + } + return nil +} + // RestoreGroups restores the specified groups func RestoreGroups(groups []dataprovider.Group, inputFile string, mode int, executor, ipAddress string) error { for _, group := range groups { @@ -433,7 +461,7 @@ func RestoreGroups(groups []dataprovider.Group, inputFile string, mode int, exec func RestoreUsers(users []dataprovider.User, inputFile string, mode, scanQuota int, executor, ipAddress string) error { for _, user := range users { user := user // pin - u, err := dataprovider.UserExists(user.Username) + u, err := dataprovider.UserExists(user.Username, "") if err == nil { if mode == 1 { logger.Debug(logSender, "", "loaddata mode 1, existing user %#v not updated", u.Username) @@ -454,7 +482,7 @@ func RestoreUsers(users []dataprovider.User, inputFile string, mode, scanQuota i return fmt.Errorf("unable to restore user %#v: %w", user.Username, err) } if scanQuota == 1 || (scanQuota == 2 && user.HasQuotaRestrictions()) { - if common.QuotaScans.AddUserQuotaScan(user.Username) { + if common.QuotaScans.AddUserQuotaScan(user.Username, user.Role) { logger.Debug(logSender, "", "starting quota scan for restored user: %#v", user.Username) go doUserQuotaScan(user) //nolint:errcheck } diff --git a/internal/httpd/api_metadata.go b/internal/httpd/api_metadata.go index b7127606..894c77cc 100644 --- a/internal/httpd/api_metadata.go +++ b/internal/httpd/api_metadata.go @@ -27,18 +27,28 @@ import ( func getMetadataChecks(w http.ResponseWriter, r *http.Request) { r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) - render.JSON(w, r, common.ActiveMetadataChecks.Get()) + claims, err := getTokenClaims(r) + if err != nil || claims.Username == "" { + sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest) + return + } + render.JSON(w, r, common.ActiveMetadataChecks.Get(claims.Role)) } func startMetadataCheck(w http.ResponseWriter, r *http.Request) { r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + claims, err := getTokenClaims(r) + if err != nil || claims.Username == "" { + sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest) + return + } - user, err := dataprovider.GetUserWithGroupSettings(getURLParam(r, "username")) + user, err := dataprovider.GetUserWithGroupSettings(getURLParam(r, "username"), claims.Role) if err != nil { sendAPIResponse(w, r, err, "", getRespStatus(err)) return } - if !common.ActiveMetadataChecks.Add(user.Username) { + if !common.ActiveMetadataChecks.Add(user.Username, user.Role) { sendAPIResponse(w, r, err, fmt.Sprintf("Another check is already in progress for user %#v", user.Username), http.StatusConflict) return diff --git a/internal/httpd/api_mfa.go b/internal/httpd/api_mfa.go index cf11e990..3d878275 100644 --- a/internal/httpd/api_mfa.go +++ b/internal/httpd/api_mfa.go @@ -152,7 +152,7 @@ func getRecoveryCodes(w http.ResponseWriter, r *http.Request) { recoveryCodes := make([]recoveryCode, 0, 12) var accountRecoveryCodes []dataprovider.RecoveryCode if claims.hasUserAudience() { - user, err := dataprovider.UserExists(claims.Username) + user, err := dataprovider.UserExists(claims.Username, "") if err != nil { sendAPIResponse(w, r, err, "", getRespStatus(err)) return @@ -203,7 +203,7 @@ func generateRecoveryCodes(w http.ResponseWriter, r *http.Request) { accountRecoveryCodes = append(accountRecoveryCodes, dataprovider.RecoveryCode{Secret: kms.NewPlainSecret(code)}) } if claims.hasUserAudience() { - user, err := dataprovider.UserExists(claims.Username) + user, err := dataprovider.UserExists(claims.Username, "") if err != nil { sendAPIResponse(w, r, err, "", getRespStatus(err)) return @@ -242,7 +242,7 @@ func getNewRecoveryCode() string { } func saveUserTOTPConfig(username string, r *http.Request, recoveryCodes []dataprovider.RecoveryCode) error { - user, err := dataprovider.UserExists(username) + user, err := dataprovider.UserExists(username, "") if err != nil { return err } diff --git a/internal/httpd/api_quota.go b/internal/httpd/api_quota.go index a3e63baa..aec27008 100644 --- a/internal/httpd/api_quota.go +++ b/internal/httpd/api_quota.go @@ -44,7 +44,12 @@ type transferQuotaUsage struct { func getUsersQuotaScans(w http.ResponseWriter, r *http.Request) { r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) - render.JSON(w, r, common.QuotaScans.GetUsersQuotaScans()) + claims, err := getTokenClaims(r) + if err != nil || claims.Username == "" { + sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest) + return + } + render.JSON(w, r, common.QuotaScans.GetUsersQuotaScans(claims.Role)) } func getFoldersQuotaScans(w http.ResponseWriter, r *http.Request) { @@ -86,8 +91,13 @@ func startFolderQuotaScan(w http.ResponseWriter, r *http.Request) { func updateUserTransferQuotaUsage(w http.ResponseWriter, r *http.Request) { r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + claims, err := getTokenClaims(r) + if err != nil || claims.Username == "" { + sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest) + return + } var usage transferQuotaUsage - err := render.DecodeJSON(r.Body, &usage) + err = render.DecodeJSON(r.Body, &usage) if err != nil { sendAPIResponse(w, r, err, "", http.StatusBadRequest) return @@ -102,7 +112,7 @@ func updateUserTransferQuotaUsage(w http.ResponseWriter, r *http.Request) { sendAPIResponse(w, r, err, "", http.StatusBadRequest) return } - user, err := dataprovider.GetUserWithGroupSettings(getURLParam(r, "username")) + user, err := dataprovider.GetUserWithGroupSettings(getURLParam(r, "username"), claims.Role) if err != nil { sendAPIResponse(w, r, err, "", getRespStatus(err)) return @@ -122,6 +132,11 @@ func updateUserTransferQuotaUsage(w http.ResponseWriter, r *http.Request) { } func doUpdateUserQuotaUsage(w http.ResponseWriter, r *http.Request, username string, usage quotaUsage) { + claims, err := getTokenClaims(r) + if err != nil || claims.Username == "" { + sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest) + return + } if usage.UsedQuotaFiles < 0 || usage.UsedQuotaSize < 0 { sendAPIResponse(w, r, errors.New("invalid used quota parameters, negative values are not allowed"), "", http.StatusBadRequest) @@ -132,7 +147,7 @@ func doUpdateUserQuotaUsage(w http.ResponseWriter, r *http.Request, username str sendAPIResponse(w, r, err, "", http.StatusBadRequest) return } - user, err := dataprovider.GetUserWithGroupSettings(username) + user, err := dataprovider.GetUserWithGroupSettings(username, claims.Role) if err != nil { sendAPIResponse(w, r, err, "", getRespStatus(err)) return @@ -142,7 +157,7 @@ func doUpdateUserQuotaUsage(w http.ResponseWriter, r *http.Request, username str "", http.StatusBadRequest) return } - if !common.QuotaScans.AddUserQuotaScan(user.Username) { + if !common.QuotaScans.AddUserQuotaScan(user.Username, user.Role) { sendAPIResponse(w, r, err, "A quota scan is in progress for this user", http.StatusConflict) return } @@ -189,12 +204,17 @@ func doStartUserQuotaScan(w http.ResponseWriter, r *http.Request, username strin sendAPIResponse(w, r, nil, "Quota tracking is disabled!", http.StatusForbidden) return } - user, err := dataprovider.GetUserWithGroupSettings(username) + claims, err := getTokenClaims(r) + if err != nil || claims.Username == "" { + sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest) + return + } + user, err := dataprovider.GetUserWithGroupSettings(username, claims.Role) if err != nil { sendAPIResponse(w, r, err, "", getRespStatus(err)) return } - if !common.QuotaScans.AddUserQuotaScan(user.Username) { + if !common.QuotaScans.AddUserQuotaScan(user.Username, user.Role) { sendAPIResponse(w, r, nil, fmt.Sprintf("Another scan is already in progress for user %#v", username), http.StatusConflict) return diff --git a/internal/httpd/api_retention.go b/internal/httpd/api_retention.go index a3ba39f5..a2ef0bc4 100644 --- a/internal/httpd/api_retention.go +++ b/internal/httpd/api_retention.go @@ -26,13 +26,23 @@ import ( func getRetentionChecks(w http.ResponseWriter, r *http.Request) { r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) - render.JSON(w, r, common.RetentionChecks.Get()) + claims, err := getTokenClaims(r) + if err != nil || claims.Username == "" { + sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest) + return + } + render.JSON(w, r, common.RetentionChecks.Get(claims.Role)) } func startRetentionCheck(w http.ResponseWriter, r *http.Request) { r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + claims, err := getTokenClaims(r) + if err != nil || claims.Username == "" { + sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest) + return + } username := getURLParam(r, "username") - user, err := dataprovider.GetUserWithGroupSettings(username) + user, err := dataprovider.GetUserWithGroupSettings(username, claims.Role) if err != nil { sendAPIResponse(w, r, err, "", getRespStatus(err)) return @@ -48,11 +58,6 @@ func startRetentionCheck(w http.ResponseWriter, r *http.Request) { check.Notifications = getCommaSeparatedQueryParam(r, "notifications") for _, notification := range check.Notifications { if notification == common.RetentionCheckNotificationEmail { - claims, err := getTokenClaims(r) - if err != nil { - sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest) - return - } admin, err := dataprovider.AdminExists(claims.Username) if err != nil { sendAPIResponse(w, r, err, "", getRespStatus(err)) diff --git a/internal/httpd/api_role.go b/internal/httpd/api_role.go new file mode 100644 index 00000000..248c46ba --- /dev/null +++ b/internal/httpd/api_role.go @@ -0,0 +1,129 @@ +// Copyright (C) 2019-2022 Nicola Murino +// +// This program is free software: you can redistribute it and/or modify +// it under the terms of the GNU Affero General Public License as published +// by the Free Software Foundation, version 3. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU Affero General Public License for more details. +// +// You should have received a copy of the GNU Affero General Public License +// along with this program. If not, see . + +package httpd + +import ( + "context" + "net/http" + + "github.com/go-chi/render" + + "github.com/drakkan/sftpgo/v2/internal/dataprovider" + "github.com/drakkan/sftpgo/v2/internal/util" +) + +func getRoles(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + limit, offset, order, err := getSearchFilters(w, r) + if err != nil { + return + } + + roles, err := dataprovider.GetRoles(limit, offset, order, false) + if err != nil { + sendAPIResponse(w, r, err, "", http.StatusInternalServerError) + return + } + render.JSON(w, r, roles) +} + +func addRole(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + + claims, err := getTokenClaims(r) + if err != nil || claims.Username == "" { + sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest) + return + } + var role dataprovider.Role + err = render.DecodeJSON(r.Body, &role) + if err != nil { + sendAPIResponse(w, r, err, "", http.StatusBadRequest) + return + } + err = dataprovider.AddRole(&role, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr)) + if err != nil { + sendAPIResponse(w, r, err, "", getRespStatus(err)) + return + } + renderRole(w, r, role.Name, http.StatusCreated) +} + +func updateRole(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + claims, err := getTokenClaims(r) + if err != nil || claims.Username == "" { + sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest) + return + } + + name := getURLParam(r, "name") + role, err := dataprovider.RoleExists(name) + if err != nil { + sendAPIResponse(w, r, err, "", getRespStatus(err)) + return + } + roleID := role.ID + name = role.Name + err = render.DecodeJSON(r.Body, &role) + if err != nil { + sendAPIResponse(w, r, err, "", http.StatusBadRequest) + return + } + role.ID = roleID + role.Name = name + err = dataprovider.UpdateRole(&role, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr)) + if err != nil { + sendAPIResponse(w, r, err, "", getRespStatus(err)) + return + } + sendAPIResponse(w, r, nil, "Role updated", http.StatusOK) +} + +func renderRole(w http.ResponseWriter, r *http.Request, name string, status int) { + role, err := dataprovider.RoleExists(name) + if err != nil { + sendAPIResponse(w, r, err, "", getRespStatus(err)) + return + } + if status != http.StatusOK { + ctx := context.WithValue(r.Context(), render.StatusCtxKey, status) + render.JSON(w, r.WithContext(ctx), role) + } else { + render.JSON(w, r, role) + } +} + +func getRoleByName(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + name := getURLParam(r, "name") + renderRole(w, r, name, http.StatusOK) +} + +func deleteRole(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + claims, err := getTokenClaims(r) + if err != nil || claims.Username == "" { + sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest) + return + } + name := getURLParam(r, "name") + err = dataprovider.DeleteRole(name, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr)) + if err != nil { + sendAPIResponse(w, r, err, "", getRespStatus(err)) + return + } + sendAPIResponse(w, r, err, "Role deleted", http.StatusOK) +} diff --git a/internal/httpd/api_shares.go b/internal/httpd/api_shares.go index 9309c353..bb2fdbd5 100644 --- a/internal/httpd/api_shares.go +++ b/internal/httpd/api_shares.go @@ -79,7 +79,7 @@ func addShare(w http.ResponseWriter, r *http.Request) { sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest) return } - user, err := dataprovider.GetUserWithGroupSettings(claims.Username) + user, err := dataprovider.GetUserWithGroupSettings(claims.Username, "") if err != nil { sendAPIResponse(w, r, err, "Unable to retrieve your user", getRespStatus(err)) return @@ -461,7 +461,7 @@ func (s *httpdServer) checkPublicShare(w http.ResponseWriter, r *http.Request, v } func getUserForShare(share dataprovider.Share) (dataprovider.User, error) { - user, err := dataprovider.GetUserWithGroupSettings(share.Username) + user, err := dataprovider.GetUserWithGroupSettings(share.Username, "") if err != nil { return user, err } diff --git a/internal/httpd/api_user.go b/internal/httpd/api_user.go index a6abcd24..d023efdb 100644 --- a/internal/httpd/api_user.go +++ b/internal/httpd/api_user.go @@ -38,8 +38,13 @@ func getUsers(w http.ResponseWriter, r *http.Request) { if err != nil { return } + claims, err := getTokenClaims(r) + if err != nil || claims.Username == "" { + sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest) + return + } - users, err := dataprovider.GetUsers(limit, offset, order) + users, err := dataprovider.GetUsers(limit, offset, order, claims.Role) if err == nil { render.JSON(w, r, users) } else { @@ -49,12 +54,17 @@ func getUsers(w http.ResponseWriter, r *http.Request) { func getUserByUsername(w http.ResponseWriter, r *http.Request) { r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + claims, err := getTokenClaims(r) + if err != nil || claims.Username == "" { + sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest) + return + } username := getURLParam(r, "username") - renderUser(w, r, username, http.StatusOK) + renderUser(w, r, username, claims.Role, http.StatusOK) } -func renderUser(w http.ResponseWriter, r *http.Request, username string, status int) { - user, err := dataprovider.UserExists(username) +func renderUser(w http.ResponseWriter, r *http.Request, username, role string, status int) { + user, err := dataprovider.UserExists(username, role) if err != nil { sendAPIResponse(w, r, err, "", getRespStatus(err)) return @@ -90,12 +100,19 @@ func addUser(w http.ResponseWriter, r *http.Request) { sendAPIResponse(w, r, err, "", http.StatusBadRequest) return } + if claims.Role != "" { + user.Role = claims.Role + } + user.Filters.RecoveryCodes = nil + user.Filters.TOTPConfig = dataprovider.UserTOTPConfig{ + Enabled: false, + } err = dataprovider.AddUser(&user, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr)) if err != nil { sendAPIResponse(w, r, err, "", getRespStatus(err)) return } - renderUser(w, r, user.Username, http.StatusCreated) + renderUser(w, r, user.Username, claims.Role, http.StatusCreated) } func disableUser2FA(w http.ResponseWriter, r *http.Request) { @@ -106,7 +123,7 @@ func disableUser2FA(w http.ResponseWriter, r *http.Request) { return } username := getURLParam(r, "username") - user, err := dataprovider.UserExists(username) + user, err := dataprovider.UserExists(username, claims.Role) if err != nil { sendAPIResponse(w, r, err, "", getRespStatus(err)) return @@ -140,7 +157,7 @@ func updateUser(w http.ResponseWriter, r *http.Request) { return } } - user, err := dataprovider.UserExists(username) + user, err := dataprovider.UserExists(username, claims.Role) if err != nil { sendAPIResponse(w, r, err, "", getRespStatus(err)) return @@ -188,6 +205,9 @@ func updateUser(w http.ResponseWriter, r *http.Request) { updateEncryptedSecrets(&user.FsConfig, currentS3AccessSecret, currentAzAccountKey, currentAzSASUrl, currentGCSCredentials, currentCryptoPassphrase, currentSFTPPassword, currentSFTPKey, currentSFTPKeyPassphrase, currentHTTPPassword, currentHTTPAPIKey) + if claims.Role != "" { + user.Role = claims.Role + } err = dataprovider.UpdateUser(&user, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr)) if err != nil { sendAPIResponse(w, r, err, "", getRespStatus(err)) @@ -207,7 +227,7 @@ func deleteUser(w http.ResponseWriter, r *http.Request) { return } username := getURLParam(r, "username") - err = dataprovider.DeleteUser(username, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr)) + err = dataprovider.DeleteUser(username, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role) if err != nil { sendAPIResponse(w, r, err, "", getRespStatus(err)) return @@ -251,9 +271,9 @@ func resetUserPassword(w http.ResponseWriter, r *http.Request) { } func disconnectUser(username string) { - for _, stat := range common.Connections.GetStats() { + for _, stat := range common.Connections.GetStats("") { if stat.Username == username { - common.Connections.Close(stat.ConnectionID) + common.Connections.Close(stat.ConnectionID, "") } } } diff --git a/internal/httpd/api_utils.go b/internal/httpd/api_utils.go index 46bbb1c6..9d97c8f6 100644 --- a/internal/httpd/api_utils.go +++ b/internal/httpd/api_utils.go @@ -160,9 +160,9 @@ func getActiveConnections(w http.ResponseWriter, r *http.Request) { sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest) return } - stats := common.Connections.GetStats() + stats := common.Connections.GetStats(claims.Role) if claims.NodeID == "" { - stats = append(stats, getNodesConnections(claims.Username)...) + stats = append(stats, getNodesConnections(claims.Username, claims.Role)...) } render.JSON(w, r, stats) } @@ -181,7 +181,7 @@ func handleCloseConnection(w http.ResponseWriter, r *http.Request) { } node := r.URL.Query().Get("node") if node == "" || node == dataprovider.GetNodeName() { - if common.Connections.Close(connectionID) { + if common.Connections.Close(connectionID, claims.Role) { sendAPIResponse(w, r, nil, "Connection closed", http.StatusOK) } else { sendAPIResponse(w, r, nil, "Not Found", http.StatusNotFound) @@ -195,7 +195,7 @@ func handleCloseConnection(w http.ResponseWriter, r *http.Request) { sendAPIResponse(w, r, nil, http.StatusText(status), status) return } - if err := n.SendDeleteRequest(claims.Username, fmt.Sprintf("%s/%s", activeConnectionsPath, connectionID)); err != nil { + if err := n.SendDeleteRequest(claims.Username, claims.Role, fmt.Sprintf("%s/%s", activeConnectionsPath, connectionID)); err != nil { logger.Warn(logSender, "", "unable to delete connection id %q from node %q: %v", connectionID, n.Name, err) sendAPIResponse(w, r, nil, "Not Found", http.StatusNotFound) return @@ -205,7 +205,7 @@ func handleCloseConnection(w http.ResponseWriter, r *http.Request) { // getNodesConnections returns the active connections from other nodes. // Errors are silently ignored -func getNodesConnections(admin string) []common.ConnectionStatus { +func getNodesConnections(admin, role string) []common.ConnectionStatus { nodes, err := dataprovider.GetNodes() if err != nil || len(nodes) == 0 { return nil @@ -221,7 +221,7 @@ func getNodesConnections(admin string) []common.ConnectionStatus { defer wg.Done() var stats []common.ConnectionStatus - if err := node.SendGetRequest(admin, activeConnectionsPath, &stats); err != nil { + if err := node.SendGetRequest(admin, role, activeConnectionsPath, &stats); err != nil { logger.Warn(logSender, "", "unable to get connections from node %s: %v", node.Name, err) return } @@ -647,7 +647,7 @@ func handleForgotPassword(r *http.Request, username string, isAdmin bool) error email = admin.Email subject = fmt.Sprintf("Email Verification Code for admin %#v", username) } else { - user, err = dataprovider.GetUserWithGroupSettings(username) + user, err = dataprovider.GetUserWithGroupSettings(username, "") email = user.Email subject = fmt.Sprintf("Email Verification Code for user %#v", username) if err == nil { @@ -719,7 +719,7 @@ func handleResetPassword(r *http.Request, code, newPassword string, isAdmin bool err = resetCodesMgr.Delete(code) return &admin, &user, err } - user, err = dataprovider.GetUserWithGroupSettings(resetCode.Username) + user, err = dataprovider.GetUserWithGroupSettings(resetCode.Username, "") if err != nil { return &admin, &user, util.NewValidationError("Unable to associate the confirmation code with an existing user") } diff --git a/internal/httpd/auth_utils.go b/internal/httpd/auth_utils.go index bd68e8f4..5690af55 100644 --- a/internal/httpd/auth_utils.go +++ b/internal/httpd/auth_utils.go @@ -21,7 +21,7 @@ import ( "time" "github.com/go-chi/jwtauth/v5" - "github.com/lestrrat-go/jwx/jwt" + "github.com/lestrrat-go/jwx/v2/jwt" "github.com/rs/xid" "github.com/drakkan/sftpgo/v2/internal/dataprovider" @@ -51,6 +51,7 @@ const ( const ( claimUsernameKey = "username" claimPermissionsKey = "permissions" + claimRole = "role" claimAPIKey = "api_key" claimNodeID = "node_id" claimMustSetSecondFactorKey = "2fa_required" @@ -72,6 +73,7 @@ var ( type jwtTokenClaims struct { Username string Permissions []string + Role string Signature string Audience []string APIKeyID string @@ -96,6 +98,9 @@ func (c *jwtTokenClaims) asMap() map[string]any { claims[claimUsernameKey] = c.Username claims[claimPermissionsKey] = c.Permissions + if c.Role != "" { + claims[claimRole] = c.Role + } if c.APIKeyID != "" { claims[claimAPIKey] = c.APIKeyID } @@ -169,6 +174,13 @@ func (c *jwtTokenClaims) Decode(token map[string]any) { } } + if val, ok := token[claimRole]; ok { + switch v := val.(type) { + case string: + c.Role = v + } + } + permissions := token[claimPermissionsKey] c.Permissions = c.decodeSliceString(permissions) @@ -350,6 +362,7 @@ func getAdminFromToken(r *http.Request) *dataprovider.Admin { admin.Username = tokenClaims.Username admin.Permissions = tokenClaims.Permissions admin.Filters.Preferences.HideUserPageSections = tokenClaims.HideUserPageSections + admin.Role = tokenClaims.Role return admin } diff --git a/internal/httpd/httpd.go b/internal/httpd/httpd.go index 2ad26aea..b75a00cd 100644 --- a/internal/httpd/httpd.go +++ b/internal/httpd/httpd.go @@ -32,7 +32,7 @@ import ( "github.com/go-chi/chi/v5" "github.com/go-chi/jwtauth/v5" - "github.com/lestrrat-go/jwx/jwa" + "github.com/lestrrat-go/jwx/v2/jwa" "github.com/drakkan/sftpgo/v2/internal/common" "github.com/drakkan/sftpgo/v2/internal/dataprovider" @@ -91,6 +91,7 @@ const ( sharesPath = "/api/v2/shares" eventActionsPath = "/api/v2/eventactions" eventRulesPath = "/api/v2/eventrules" + rolesPath = "/api/v2/roles" healthzPath = "/healthz" robotsTxtPath = "/robots.txt" webRootPathDefault = "/" @@ -128,6 +129,8 @@ const ( webAdminEventRulePathDefault = "/web/admin/eventrule" webAdminEventActionsPathDefault = "/web/admin/eventactions" webAdminEventActionPathDefault = "/web/admin/eventaction" + webAdminRolesPathDefault = "/web/admin/roles" + webAdminRolePathDefault = "/web/admin/role" webAdminTOTPGeneratePathDefault = "/web/admin/totp/generate" webAdminTOTPValidatePathDefault = "/web/admin/totp/validate" webAdminTOTPSavePathDefault = "/web/admin/totp/save" @@ -211,6 +214,8 @@ var ( webAdminEventRulePath string webAdminEventActionsPath string webAdminEventActionPath string + webAdminRolesPath string + webAdminRolePath string webAdminTOTPGeneratePath string webAdminTOTPValidatePath string webAdminTOTPSavePath string @@ -1010,6 +1015,8 @@ func updateWebAdminURLs(baseURL string) { webAdminEventRulePath = path.Join(baseURL, webAdminEventRulePathDefault) webAdminEventActionsPath = path.Join(baseURL, webAdminEventActionsPathDefault) webAdminEventActionPath = path.Join(baseURL, webAdminEventActionPathDefault) + webAdminRolesPath = path.Join(baseURL, webAdminRolesPathDefault) + webAdminRolePath = path.Join(baseURL, webAdminRolePathDefault) webAdminTOTPGeneratePath = path.Join(baseURL, webAdminTOTPGeneratePathDefault) webAdminTOTPValidatePath = path.Join(baseURL, webAdminTOTPValidatePathDefault) webAdminTOTPSavePath = path.Join(baseURL, webAdminTOTPSavePathDefault) diff --git a/internal/httpd/httpd_test.go b/internal/httpd/httpd_test.go index d8289be9..3745654d 100644 --- a/internal/httpd/httpd_test.go +++ b/internal/httpd/httpd_test.go @@ -125,6 +125,7 @@ const ( sharesPath = "/api/v2/shares" eventActionsPath = "/api/v2/eventactions" eventRulesPath = "/api/v2/eventrules" + rolesPath = "/api/v2/roles" healthzPath = "/healthz" robotsTxtPath = "/robots.txt" webBasePath = "/web" @@ -155,6 +156,12 @@ const ( webAdminTOTPSavePath = "/web/admin/totp/save" webAdminForgotPwdPath = "/web/admin/forgot-password" webAdminResetPwdPath = "/web/admin/reset-password" + webAdminEventRulesPath = "/web/admin/eventrules" + webAdminEventRulePath = "/web/admin/eventrule" + webAdminEventActionsPath = "/web/admin/eventactions" + webAdminEventActionPath = "/web/admin/eventaction" + webAdminRolesPath = "/web/admin/roles" + webAdminRolePath = "/web/admin/role" webBasePathClient = "/web/client" webClientLoginPath = "/web/client/login" webClientFilesPath = "/web/client/files" @@ -175,10 +182,6 @@ const ( webClientResetPwdPath = "/web/client/reset-password" webClientViewPDFPath = "/web/client/viewpdf" webClientGetPDFPath = "/web/client/getpdf" - webAdminEventRulesPath = "/web/admin/eventrules" - webAdminEventRulePath = "/web/admin/eventrule" - webAdminEventActionsPath = "/web/admin/eventactions" - webAdminEventActionPath = "/web/admin/eventaction" httpBaseURL = "http://127.0.0.1:8081" defaultRemoteAddr = "127.0.0.1:1234" sftpServerAddr = "127.0.0.1:8022" @@ -597,6 +600,187 @@ func TestBasicUserHandling(t *testing.T) { assert.NoError(t, err) } +func TestBasicRoleHandling(t *testing.T) { + r := getTestRole() + role, resp, err := httpdtest.AddRole(r, http.StatusCreated) + assert.NoError(t, err, string(resp)) + assert.Greater(t, role.CreatedAt, int64(0)) + assert.Greater(t, role.UpdatedAt, int64(0)) + roleGet, _, err := httpdtest.GetRoleByName(role.Name, http.StatusOK) + assert.NoError(t, err) + assert.Equal(t, role, roleGet) + + roles, _, err := httpdtest.GetRoles(0, 0, http.StatusOK) + assert.NoError(t, err) + if assert.GreaterOrEqual(t, len(roles), 1) { + found := false + for _, ro := range roles { + if ro.Name == r.Name { + assert.Equal(t, role, ro) + found = true + } + } + assert.True(t, found) + } + roles, _, err = httpdtest.GetRoles(0, int64(len(roles)), http.StatusOK) + assert.NoError(t, err) + assert.Len(t, roles, 0) + + role.Description = "updated desc" + _, _, err = httpdtest.UpdateRole(role, http.StatusOK) + assert.NoError(t, err) + roleGet, _, err = httpdtest.GetRoleByName(role.Name, http.StatusOK) + assert.NoError(t, err) + assert.Equal(t, role.Description, roleGet.Description) + + _, _, err = httpdtest.GetRoleByName(role.Name+"_", http.StatusNotFound) + assert.NoError(t, err) + // adding the same role again should fail + _, _, err = httpdtest.AddRole(r, http.StatusInternalServerError) + assert.NoError(t, err) + + _, err = httpdtest.RemoveRole(role, http.StatusOK) + assert.NoError(t, err) +} + +func TestRoleRelations(t *testing.T) { + r := getTestRole() + role, resp, err := httpdtest.AddRole(r, http.StatusCreated) + assert.NoError(t, err, string(resp)) + a := getTestAdmin() + a.Username = altAdminUsername + a.Password = altAdminPassword + a.Role = role.Name + _, resp, err = httpdtest.AddAdmin(a, http.StatusBadRequest) + assert.NoError(t, err) + assert.Contains(t, string(resp), "a role admin cannot have the following permissions") + + a.Permissions = []string{dataprovider.PermAdminAddUsers, dataprovider.PermAdminChangeUsers, + dataprovider.PermAdminDeleteUsers, dataprovider.PermAdminViewUsers} + a.Role = "missing admin role" + _, _, err = httpdtest.AddAdmin(a, http.StatusInternalServerError) + assert.NoError(t, err) + a.Role = role.Name + admin, _, err := httpdtest.AddAdmin(a, http.StatusCreated) + assert.NoError(t, err) + admin.Role = "invalid role" + _, _, err = httpdtest.UpdateAdmin(admin, http.StatusInternalServerError) + assert.NoError(t, err) + admin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK) + assert.NoError(t, err) + assert.Equal(t, role.Name, admin.Role) + + resp, err = httpdtest.RemoveRole(role, http.StatusOK) + assert.Error(t, err, "removing a referenced role should fail") + assert.Contains(t, string(resp), "is referenced") + + role, _, err = httpdtest.GetRoleByName(role.Name, http.StatusOK) + assert.NoError(t, err) + if assert.Len(t, role.Admins, 1) { + assert.Equal(t, admin.Username, role.Admins[0]) + } + + u1 := getTestUser() + u1.Username = defaultUsername + "1" + u1.Role = "missing role" + _, _, err = httpdtest.AddUser(u1, http.StatusInternalServerError) + assert.NoError(t, err) + u1.Role = role.Name + user1, _, err := httpdtest.AddUser(u1, http.StatusCreated) + assert.NoError(t, err) + assert.Equal(t, role.Name, user1.Role) + user1.Role = "missing" + _, _, err = httpdtest.UpdateUser(user1, http.StatusInternalServerError, "") + assert.NoError(t, err) + user1, _, err = httpdtest.GetUserByUsername(user1.Username, http.StatusOK) + assert.NoError(t, err) + assert.Equal(t, role.Name, user1.Role) + + role, _, err = httpdtest.GetRoleByName(role.Name, http.StatusOK) + assert.NoError(t, err) + if assert.Len(t, role.Admins, 1) { + assert.Equal(t, admin.Username, role.Admins[0]) + } + if assert.Len(t, role.Users, 1) { + assert.Equal(t, user1.Username, role.Users[0]) + } + roles, _, err := httpdtest.GetRoles(0, 0, http.StatusOK) + assert.NoError(t, err) + for _, r := range roles { + if r.Name == role.Name { + if assert.Len(t, role.Admins, 1) { + assert.Equal(t, admin.Username, role.Admins[0]) + } + if assert.Len(t, role.Users, 1) { + assert.Equal(t, user1.Username, role.Users[0]) + } + } + } + + u2 := getTestUser() + user2, _, err := httpdtest.AddUser(u2, http.StatusCreated) + assert.NoError(t, err) + + // the global admin can list all users + users, _, err := httpdtest.GetUsers(0, 0, http.StatusOK) + assert.NoError(t, err) + assert.GreaterOrEqual(t, len(users), 2) + _, _, err = httpdtest.GetUserByUsername(user1.Username, http.StatusOK) + assert.NoError(t, err) + _, _, err = httpdtest.GetUserByUsername(user2.Username, http.StatusOK) + assert.NoError(t, err) + // the role admin can only list users with its role + token, _, err := httpdtest.GetToken(altAdminUsername, altAdminPassword) + assert.NoError(t, err) + httpdtest.SetJWTToken(token) + users, _, err = httpdtest.GetUsers(0, 0, http.StatusOK) + assert.NoError(t, err) + assert.Len(t, users, 1) + _, _, err = httpdtest.GetUserByUsername(user1.Username, http.StatusOK) + assert.NoError(t, err) + _, _, err = httpdtest.GetUserByUsername(user2.Username, http.StatusNotFound) + assert.NoError(t, err) + // the role admin can only update/delete users with its role + _, _, err = httpdtest.UpdateUser(user1, http.StatusOK, "") + assert.NoError(t, err) + _, _, err = httpdtest.UpdateUser(user2, http.StatusNotFound, "") + assert.NoError(t, err) + _, err = httpdtest.RemoveUser(user2, http.StatusNotFound) + assert.NoError(t, err) + // new users created by a role admin have the same role + u3 := getTestUser() + u3.Username = defaultUsername + "3" + _, _, err = httpdtest.AddUser(u3, http.StatusCreated) + if assert.Error(t, err) { + assert.Equal(t, err.Error(), "role mismatch") + } + + user3, _, err := httpdtest.GetUserByUsername(u3.Username, http.StatusOK) + assert.NoError(t, err) + assert.Equal(t, role.Name, user3.Role) + + _, err = httpdtest.RemoveUser(user3, http.StatusOK) + assert.NoError(t, err) + + httpdtest.SetJWTToken("") + + role, _, err = httpdtest.GetRoleByName(role.Name, http.StatusOK) + assert.NoError(t, err) + assert.Equal(t, role.Admins, []string{altAdminUsername}) + + _, err = httpdtest.RemoveAdmin(admin, http.StatusOK) + assert.NoError(t, err) + _, err = httpdtest.RemoveRole(role, http.StatusOK) + assert.NoError(t, err) + user1, _, err = httpdtest.GetUserByUsername(user1.Username, http.StatusOK) + assert.NoError(t, err) + assert.Empty(t, user1.Role) + _, err = httpdtest.RemoveUser(user1, http.StatusOK) + assert.NoError(t, err) + _, err = httpdtest.RemoveUser(user2, http.StatusOK) + assert.NoError(t, err) +} + func TestBasicGroupHandling(t *testing.T) { g := getTestGroup() group, _, err := httpdtest.AddGroup(g, http.StatusCreated) @@ -971,7 +1155,7 @@ func TestGroupSettingsOverride(t *testing.T) { assert.NoError(t, err) assert.Len(t, user.VirtualFolders, 3) - user1, user2, err := dataprovider.GetUserVariants(defaultUsername) + user1, user2, err := dataprovider.GetUserVariants(defaultUsername, "") assert.NoError(t, err) assert.Len(t, user1.VirtualFolders, 0) assert.Len(t, user2.VirtualFolders, 3) @@ -3582,7 +3766,7 @@ func TestUserType(t *testing.T) { assert.NoError(t, err) } -func TestMetadataAPI(t *testing.T) { +func TestMetadataAPIMock(t *testing.T) { user, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated) assert.NoError(t, err) @@ -3662,7 +3846,7 @@ func TestRetentionAPI(t *testing.T) { assert.NoError(t, err) assert.Eventually(t, func() bool { - return len(common.RetentionChecks.Get()) == 0 + return len(common.RetentionChecks.Get("")) == 0 }, 1000*time.Millisecond, 50*time.Millisecond) assert.FileExists(t, localFilePath) @@ -3674,7 +3858,7 @@ func TestRetentionAPI(t *testing.T) { assert.NoError(t, err) assert.Eventually(t, func() bool { - return len(common.RetentionChecks.Get()) == 0 + return len(common.RetentionChecks.Get("")) == 0 }, 1000*time.Millisecond, 50*time.Millisecond) assert.NoFileExists(t, localFilePath) @@ -3691,7 +3875,7 @@ func TestRetentionAPI(t *testing.T) { err = c.Start() assert.NoError(t, err) - assert.Len(t, common.RetentionChecks.Get(), 0) + assert.Len(t, common.RetentionChecks.Get(""), 0) admin := getTestAdmin() admin.Username = altAdminUsername @@ -3837,7 +4021,7 @@ func TestUserPublicKey(t *testing.T) { user, _, err := httpdtest.AddUser(u, http.StatusCreated) assert.NoError(t, err) - dbUser, err := dataprovider.UserExists(u.Username) + dbUser, err := dataprovider.UserExists(u.Username, "") assert.NoError(t, err) assert.Empty(t, dbUser.Password) assert.False(t, dbUser.IsPasswordHashed()) @@ -3850,7 +4034,7 @@ func TestUserPublicKey(t *testing.T) { _, _, err = httpdtest.UpdateUser(user, http.StatusOK, "") assert.NoError(t, err) - dbUser, err = dataprovider.UserExists(u.Username) + dbUser, err = dataprovider.UserExists(u.Username, "") assert.NoError(t, err) assert.NotEmpty(t, dbUser.Password) assert.True(t, dbUser.IsPasswordHashed()) @@ -3866,7 +4050,7 @@ func TestUpdateUserEmptyPassword(t *testing.T) { assert.NoError(t, err) // the password is not empty - dbUser, err := dataprovider.UserExists(u.Username) + dbUser, err := dataprovider.UserExists(u.Username, "") assert.NoError(t, err) assert.NotEmpty(t, dbUser.Password) assert.True(t, dbUser.IsPasswordHashed()) @@ -3879,7 +4063,7 @@ func TestUpdateUserEmptyPassword(t *testing.T) { assert.NoError(t, err) assert.Equal(t, user.Password, userNoPwd.Password) // the password is hidden // check the password within the data provider - dbUser, err = dataprovider.UserExists(u.Username) + dbUser, err = dataprovider.UserExists(u.Username, "") assert.NoError(t, err) assert.Empty(t, dbUser.Password) assert.False(t, dbUser.IsPasswordHashed()) @@ -4802,7 +4986,7 @@ func TestUserHiddenFields(t *testing.T) { assert.NotEmpty(t, user6.FsConfig.HTTPConfig.APIKey.GetPayload()) // finally check that we have all the data inside the data provider - user1, err = dataprovider.UserExists(user1.Username) + user1, err = dataprovider.UserExists(user1.Username, "") assert.NoError(t, err) assert.NotEmpty(t, user1.Password) assert.NotEmpty(t, user1.FsConfig.S3Config.AccessSecret.GetKey()) @@ -4816,7 +5000,7 @@ func TestUserHiddenFields(t *testing.T) { assert.Empty(t, user1.FsConfig.S3Config.AccessSecret.GetKey()) assert.Empty(t, user1.FsConfig.S3Config.AccessSecret.GetAdditionalData()) - user2, err = dataprovider.UserExists(user2.Username) + user2, err = dataprovider.UserExists(user2.Username, "") assert.NoError(t, err) assert.NotEmpty(t, user2.Password) assert.NotEmpty(t, user2.FsConfig.GCSConfig.Credentials.GetKey()) @@ -4830,7 +5014,7 @@ func TestUserHiddenFields(t *testing.T) { assert.Empty(t, user2.FsConfig.GCSConfig.Credentials.GetKey()) assert.Empty(t, user2.FsConfig.GCSConfig.Credentials.GetAdditionalData()) - user3, err = dataprovider.UserExists(user3.Username) + user3, err = dataprovider.UserExists(user3.Username, "") assert.NoError(t, err) assert.NotEmpty(t, user3.Password) assert.NotEmpty(t, user3.FsConfig.AzBlobConfig.AccountKey.GetKey()) @@ -4844,7 +5028,7 @@ func TestUserHiddenFields(t *testing.T) { assert.Empty(t, user3.FsConfig.AzBlobConfig.AccountKey.GetKey()) assert.Empty(t, user3.FsConfig.AzBlobConfig.AccountKey.GetAdditionalData()) - user4, err = dataprovider.UserExists(user4.Username) + user4, err = dataprovider.UserExists(user4.Username, "") assert.NoError(t, err) assert.NotEmpty(t, user4.Password) assert.NotEmpty(t, user4.FsConfig.CryptConfig.Passphrase.GetKey()) @@ -4858,7 +5042,7 @@ func TestUserHiddenFields(t *testing.T) { assert.Empty(t, user4.FsConfig.CryptConfig.Passphrase.GetKey()) assert.Empty(t, user4.FsConfig.CryptConfig.Passphrase.GetAdditionalData()) - user5, err = dataprovider.UserExists(user5.Username) + user5, err = dataprovider.UserExists(user5.Username, "") assert.NoError(t, err) assert.NotEmpty(t, user5.Password) assert.NotEmpty(t, user5.FsConfig.SFTPConfig.Password.GetKey()) @@ -4882,7 +5066,7 @@ func TestUserHiddenFields(t *testing.T) { assert.Empty(t, user5.FsConfig.SFTPConfig.PrivateKey.GetKey()) assert.Empty(t, user5.FsConfig.SFTPConfig.PrivateKey.GetAdditionalData()) - user6, err = dataprovider.UserExists(user6.Username) + user6, err = dataprovider.UserExists(user6.Username, "") assert.NoError(t, err) assert.NotEmpty(t, user6.Password) assert.NotEmpty(t, user6.FsConfig.HTTPConfig.Password.GetKey()) @@ -5466,7 +5650,7 @@ func TestCloseActiveConnection(t *testing.T) { assert.NoError(t, err) _, err = httpdtest.CloseConnection(c.GetID(), http.StatusOK) assert.NoError(t, err) - assert.Len(t, common.Connections.GetStats(), 0) + assert.Len(t, common.Connections.GetStats(""), 0) } func TestCloseConnectionAfterUserUpdateDelete(t *testing.T) { @@ -5486,19 +5670,19 @@ func TestCloseConnectionAfterUserUpdateDelete(t *testing.T) { assert.NoError(t, err) user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "0") assert.NoError(t, err) - assert.Len(t, common.Connections.GetStats(), 2) + assert.Len(t, common.Connections.GetStats(""), 2) user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "1") assert.NoError(t, err) - assert.Len(t, common.Connections.GetStats(), 0) + assert.Len(t, common.Connections.GetStats(""), 0) err = common.Connections.Add(fakeConn) assert.NoError(t, err) err = common.Connections.Add(fakeConn1) assert.NoError(t, err) - assert.Len(t, common.Connections.GetStats(), 2) + assert.Len(t, common.Connections.GetStats(""), 2) _, err = httpdtest.RemoveUser(user, http.StatusOK) assert.NoError(t, err) - assert.Len(t, common.Connections.GetStats(), 0) + assert.Len(t, common.Connections.GetStats(""), 0) } func TestAdminGenerateRecoveryCodesSaveError(t *testing.T) { @@ -5599,6 +5783,11 @@ func TestNamingRules(t *testing.T) { assert.NoError(t, err) assert.True(t, user.Filters.TOTPConfig.Enabled) + r := getTestRole() + r.Name = "role@mycompany" + role, _, err := httpdtest.AddRole(r, http.StatusCreated) + assert.NoError(t, err) + a := getTestAdmin() a.Username = "admiN@example.com " admin, _, err := httpdtest.AddAdmin(a, http.StatusCreated) @@ -5729,6 +5918,14 @@ func TestNamingRules(t *testing.T) { checkResponseCode(t, http.StatusOK, rr) assert.Contains(t, rr.Body.String(), "the following characters are allowed") + req, _ = http.NewRequest(http.MethodPost, path.Join(webAdminRolePath, role.Name), bytes.NewBuffer([]byte(form.Encode()))) + req.RemoteAddr = defaultRemoteAddr + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + setJWTCookieForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + assert.Contains(t, rr.Body.String(), "the following characters are allowed") + apiKeyAuthReq = make(map[string]bool) apiKeyAuthReq["allow_api_key_auth"] = true asJSON, err = json.Marshal(apiKeyAuthReq) @@ -5773,6 +5970,8 @@ func TestNamingRules(t *testing.T) { _, err = httpdtest.RemoveAdmin(admin, http.StatusOK) assert.NoError(t, err) + _, err = httpdtest.RemoveRole(role, http.StatusOK) + assert.NoError(t, err) smtpCfg = smtp.Config{} err = smtpCfg.Initialize(configDir) @@ -5841,6 +6040,11 @@ func TestSaveErrors(t *testing.T) { assert.True(t, admin.Filters.TOTPConfig.Enabled) assert.Len(t, admin.Filters.RecoveryCodes, 1) + r := getTestRole() + r.Name = "role@mycompany" + role, _, err := httpdtest.AddRole(r, http.StatusCreated) + assert.NoError(t, err) + err = dataprovider.Close() assert.NoError(t, err) err = config.LoadConfig(configDir, "") @@ -5853,6 +6057,10 @@ func TestSaveErrors(t *testing.T) { return } + _, resp, err := httpdtest.UpdateRole(role, http.StatusBadRequest) + assert.NoError(t, err) + assert.Contains(t, string(resp), "the following characters are allowed") + csrfToken, err := getCSRFToken(httpBaseURL + webLoginPath) assert.NoError(t, err) form := getLoginForm(a.Username, a.Password, csrfToken) @@ -5910,6 +6118,8 @@ func TestSaveErrors(t *testing.T) { _, err = httpdtest.RemoveAdmin(admin, http.StatusOK) assert.NoError(t, err) + _, err = httpdtest.RemoveRole(role, http.StatusOK) + assert.NoError(t, err) } func TestUserBaseDir(t *testing.T) { @@ -6014,6 +6224,10 @@ func TestProviderErrors(t *testing.T) { assert.NoError(t, err) _, _, err = httpdtest.GetEventRules(1, 0, http.StatusInternalServerError) assert.NoError(t, err) + _, _, err = httpdtest.GetRoles(1, 0, http.StatusInternalServerError) + assert.NoError(t, err) + _, _, err = httpdtest.UpdateRole(getTestRole(), http.StatusInternalServerError) + assert.NoError(t, err) req, err := http.NewRequest(http.MethodGet, userSharesPath, nil) assert.NoError(t, err) setBearerForReq(req, userAPIToken) @@ -6185,6 +6399,19 @@ func TestProviderErrors(t *testing.T) { assert.NoError(t, err) _, _, err = httpdtest.Loaddata(backupFilePath, "", "", http.StatusInternalServerError) assert.NoError(t, err) + backupData = dataprovider.BackupData{ + Roles: []dataprovider.Role{ + { + Name: "role1", + }, + }, + } + backupContent, err = json.Marshal(backupData) + assert.NoError(t, err) + err = os.WriteFile(backupFilePath, backupContent, os.ModePerm) + assert.NoError(t, err) + _, _, err = httpdtest.Loaddata(backupFilePath, "", "", http.StatusInternalServerError) + assert.NoError(t, err) err = os.Remove(backupFilePath) assert.NoError(t, err) @@ -6608,6 +6835,9 @@ func TestRestoreShares(t *testing.T) { func TestLoaddataFromPostBody(t *testing.T) { mappedPath := filepath.Join(os.TempDir(), "restored_folder") folderName := filepath.Base(mappedPath) + role := getTestRole() + role.ID = 1 + role.Name = "test_restored_role" group := getTestGroup() group.ID = 1 group.Name = "test_group_restored" @@ -6620,13 +6850,18 @@ func TestLoaddataFromPostBody(t *testing.T) { Type: sdk.GroupTypePrimary, }, } + user.Role = role.Name admin := getTestAdmin() admin.ID = 1 admin.Username = "test_admin_restored" + admin.Permissions = []string{dataprovider.PermAdminAddUsers, dataprovider.PermAdminChangeUsers, + dataprovider.PermAdminDeleteUsers, dataprovider.PermAdminViewUsers} + admin.Role = role.Name backupData := dataprovider.BackupData{} backupData.Users = append(backupData.Users, user) backupData.Groups = append(backupData.Groups, group) backupData.Admins = append(backupData.Admins, admin) + backupData.Roles = append(backupData.Roles, role) backupData.Folders = []vfs.BaseVirtualFolder{ { Name: folderName, @@ -6674,14 +6909,19 @@ func TestLoaddataFromPostBody(t *testing.T) { } backupContent, err = json.Marshal(backupData) assert.NoError(t, err) - _, _, err = httpdtest.LoaddataFromPostBody(backupContent, "0", "0", http.StatusOK) - assert.NoError(t, err) + _, resp, err := httpdtest.LoaddataFromPostBody(backupContent, "0", "0", http.StatusOK) + assert.NoError(t, err, string(resp)) user, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK) assert.NoError(t, err) + assert.Equal(t, role.Name, user.Role) if assert.Len(t, user.Groups, 1) { assert.Equal(t, sdk.GroupTypePrimary, user.Groups[0].Type) assert.Equal(t, group.Name, user.Groups[0].Name) } + role, _, err = httpdtest.GetRoleByName(role.Name, http.StatusOK) + assert.NoError(t, err) + assert.Len(t, role.Admins, 1) + assert.Len(t, role.Users, 1) _, err = dataprovider.ShareExists(keyID, user.Username) assert.NoError(t, err) _, err = httpdtest.RemoveUser(user, http.StatusOK) @@ -6694,8 +6934,15 @@ func TestLoaddataFromPostBody(t *testing.T) { admin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK) assert.NoError(t, err) + assert.Equal(t, role.Name, admin.Role) _, err = httpdtest.RemoveAdmin(admin, http.StatusOK) assert.NoError(t, err) + role, _, err = httpdtest.GetRoleByName(role.Name, http.StatusOK) + assert.NoError(t, err) + assert.Len(t, role.Admins, 0) + assert.Len(t, role.Users, 0) + _, err = httpdtest.RemoveRole(role, http.StatusOK) + assert.NoError(t, err) apiKey, _, err := httpdtest.GetAPIKeyByID(keyID, http.StatusOK) assert.NoError(t, err) _, err = httpdtest.RemoveAPIKey(apiKey, http.StatusOK) @@ -6715,7 +6962,7 @@ func TestLoaddataFromPostBody(t *testing.T) { func TestLoaddata(t *testing.T) { mappedPath := filepath.Join(os.TempDir(), "restored_folder") folderName := filepath.Base(mappedPath) - foldeDesc := "restored folder desc" + folderDesc := "restored folder desc" user := getTestUser() user.ID = 1 user.Username = "test_user_restore" @@ -6734,6 +6981,9 @@ func TestLoaddata(t *testing.T) { }, VirtualPath: "/vgrouppath", }) + role := getTestRole() + role.ID = 1 + role.Name = "test_role_restore" user.Groups = append(user.Groups, sdk.GroupMapping{ Name: group.Name, Type: sdk.GroupTypePrimary, @@ -6794,6 +7044,7 @@ func TestLoaddata(t *testing.T) { } backupData := dataprovider.BackupData{} backupData.Users = append(backupData.Users, user) + backupData.Roles = append(backupData.Roles, role) backupData.Groups = append(backupData.Groups, group) backupData.Admins = append(backupData.Admins, admin) backupData.Folders = []vfs.BaseVirtualFolder{ @@ -6808,7 +7059,7 @@ func TestLoaddata(t *testing.T) { { MappedPath: mappedPath, Name: folderName, - Description: foldeDesc, + Description: folderDesc, }, } backupData.APIKeys = append(backupData.APIKeys, apiKey) @@ -6849,6 +7100,9 @@ func TestLoaddata(t *testing.T) { _, err = dataprovider.ShareExists(share.ShareID, user.Username) assert.NoError(t, err) + role, _, err = httpdtest.GetRoleByName(role.Name, http.StatusOK) + assert.NoError(t, err) + group, _, err = httpdtest.GetGroupByName(group.Name, http.StatusOK) assert.NoError(t, err) assert.Len(t, group.VirtualFolders, 1) @@ -6905,18 +7159,17 @@ func TestLoaddata(t *testing.T) { if assert.Len(t, dumpedData.Groups, 1) { assert.Equal(t, len(group.VirtualFolders), len(dumpedData.Groups[0].VirtualFolders)) } - found = false - for _, a := range dumpedData.EventActions { - if a.Name == action.Name { - found = true - } + if assert.Len(t, dumpedData.EventActions, 1) { + assert.Equal(t, action.Name, dumpedData.EventActions[0].Name) + } + if assert.Len(t, dumpedData.EventRules, 1) { + assert.Equal(t, rule.Name, dumpedData.EventRules[0].Name) + assert.Len(t, dumpedData.EventRules[0].Actions, 1) } - assert.True(t, found) found = false - for _, r := range dumpedData.EventRules { - if r.Name == rule.Name { + for _, r := range dumpedData.Roles { + if r.Name == role.Name { found = true - assert.Len(t, r.Actions, 1) } } assert.True(t, found) @@ -6926,7 +7179,7 @@ func TestLoaddata(t *testing.T) { assert.Equal(t, int64(123), folder.UsedQuotaSize) assert.Equal(t, 456, folder.UsedQuotaFiles) assert.Equal(t, int64(789), folder.LastQuotaUpdate) - assert.Equal(t, foldeDesc, folder.Description) + assert.Equal(t, folderDesc, folder.Description) assert.Len(t, folder.Users, 1) _, err = httpdtest.RemoveFolder(folder, http.StatusOK) assert.NoError(t, err) @@ -6942,6 +7195,8 @@ func TestLoaddata(t *testing.T) { assert.NoError(t, err) _, err = httpdtest.RemoveAdmin(admin, http.StatusOK) assert.NoError(t, err) + _, err = httpdtest.RemoveRole(role, http.StatusOK) + assert.NoError(t, err) err = os.Remove(backupFilePath) assert.NoError(t, err) @@ -6962,9 +7217,14 @@ func TestLoaddata(t *testing.T) { func TestLoaddataMode(t *testing.T) { mappedPath := filepath.Join(os.TempDir(), "restored_fold") folderName := filepath.Base(mappedPath) + role := getTestRole() + role.ID = 1 + role.Name = "test_role_load" + role.Description = "" user := getTestUser() user.ID = 1 user.Username = "test_user_restore" + user.Role = role.Name group := getTestGroup() group.ID = 1 group.Name = "test_group_restore" @@ -7031,6 +7291,7 @@ func TestLoaddataMode(t *testing.T) { backupData.Admins = append(backupData.Admins, admin) backupData.EventActions = append(backupData.EventActions, action) backupData.EventRules = append(backupData.EventRules, rule) + backupData.Roles = append(backupData.Roles, role) backupData.Folders = []vfs.BaseVirtualFolder{ { Name: folderName, @@ -7062,10 +7323,20 @@ func TestLoaddataMode(t *testing.T) { assert.Len(t, folder.Users, 0) user, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK) assert.NoError(t, err) + assert.Equal(t, role.Name, user.Role) oldUploadBandwidth := user.UploadBandwidth user.UploadBandwidth = oldUploadBandwidth + 128 user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "") assert.NoError(t, err) + role, _, err = httpdtest.GetRoleByName(role.Name, http.StatusOK) + assert.NoError(t, err) + assert.Len(t, role.Users, 1) + assert.Len(t, role.Admins, 0) + assert.Empty(t, role.Description) + role.Description = "role desc" + _, _, err = httpdtest.UpdateRole(role, http.StatusOK) + assert.NoError(t, err) + role.Description = "" group, _, err = httpdtest.GetGroupByName(group.Name, http.StatusOK) assert.NoError(t, err) assert.Len(t, group.Users, 1) @@ -7137,7 +7408,7 @@ func TestLoaddataMode(t *testing.T) { } err = common.Connections.Add(fakeConn) assert.NoError(t, err) - assert.Len(t, common.Connections.GetStats(), 1) + assert.Len(t, common.Connections.GetStats(""), 1) user, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK) assert.NoError(t, err) assert.NotEqual(t, oldUploadBandwidth, user.UploadBandwidth) @@ -7155,10 +7426,16 @@ func TestLoaddataMode(t *testing.T) { assert.NoError(t, err) assert.NotEmpty(t, share.Description) + role, _, err = httpdtest.GetRoleByName(role.Name, http.StatusOK) + assert.NoError(t, err) + assert.Len(t, role.Users, 1) + assert.Len(t, role.Admins, 0) + assert.NotEmpty(t, role.Description) + _, _, err = httpdtest.Loaddata(backupFilePath, "0", "2", http.StatusOK) assert.NoError(t, err) // mode 2 will update the user and close the previous connection - assert.Len(t, common.Connections.GetStats(), 0) + assert.Len(t, common.Connections.GetStats(""), 0) user, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK) assert.NoError(t, err) assert.Equal(t, oldUploadBandwidth, user.UploadBandwidth) @@ -7179,6 +7456,8 @@ func TestLoaddataMode(t *testing.T) { assert.NoError(t, err) _, err = httpdtest.RemoveEventAction(action, http.StatusOK) assert.NoError(t, err) + _, err = httpdtest.RemoveRole(role, http.StatusOK) + assert.NoError(t, err) err = os.Remove(backupFilePath) assert.NoError(t, err) } @@ -7359,6 +7638,45 @@ func TestAddEventRuleInvalidJsonMock(t *testing.T) { checkResponseCode(t, http.StatusBadRequest, rr) } +func TestAddRoleInvalidJsonMock(t *testing.T) { + token, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass) + assert.NoError(t, err) + req, _ := http.NewRequest(http.MethodPost, rolesPath, bytes.NewBuffer([]byte("{"))) + setBearerForReq(req, token) + rr := executeRequest(req) + checkResponseCode(t, http.StatusBadRequest, rr) +} + +func TestRoleErrorsMock(t *testing.T) { + token, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass) + assert.NoError(t, err) + reqBody := bytes.NewBuffer([]byte("{")) + req, err := http.NewRequest(http.MethodGet, rolesPath+"?limit=a", nil) + assert.NoError(t, err) + setBearerForReq(req, token) + rr := executeRequest(req) + checkResponseCode(t, http.StatusBadRequest, rr) + role, _, err := httpdtest.AddRole(getTestRole(), http.StatusCreated) + assert.NoError(t, err) + + req, err = http.NewRequest(http.MethodPut, path.Join(rolesPath, role.Name), reqBody) + assert.NoError(t, err) + setBearerForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusBadRequest, rr) + + req, err = http.NewRequest(http.MethodPut, path.Join(rolesPath, "missing_role"), reqBody) + assert.NoError(t, err) + setBearerForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusNotFound, rr) + + _, err = httpdtest.RemoveRole(role, http.StatusOK) + assert.NoError(t, err) + _, err = httpdtest.RemoveRole(role, http.StatusNotFound) + assert.NoError(t, err) +} + func TestEventRuleErrorsMock(t *testing.T) { token, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass) assert.NoError(t, err) @@ -9517,6 +9835,7 @@ func TestUpdateAdminMock(t *testing.T) { setBearerForReq(req, token) rr = executeRequest(req) checkResponseCode(t, http.StatusBadRequest, rr) + assert.Contains(t, rr.Body.String(), "you cannot disable yourself") admin.Status = 1 admin.Permissions = []string{dataprovider.PermAdminAddUsers} asJSON, err = json.Marshal(admin) @@ -9525,6 +9844,17 @@ func TestUpdateAdminMock(t *testing.T) { setBearerForReq(req, token) rr = executeRequest(req) checkResponseCode(t, http.StatusBadRequest, rr) + assert.Contains(t, rr.Body.String(), "you cannot remove these permissions to yourself") + admin.Permissions = []string{dataprovider.PermAdminAny} + admin.Role = "missing role" + asJSON, err = json.Marshal(admin) + assert.NoError(t, err) + req, _ = http.NewRequest(http.MethodPut, path.Join(adminPath, defaultTokenAuthUser), bytes.NewBuffer(asJSON)) + setBearerForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusBadRequest, rr) + assert.Contains(t, rr.Body.String(), "you cannot add/change your role") + admin.Role = "" altToken, err := getJWTAPITokenFromTestServer(altAdminUsername, defaultTokenAuthPass) assert.NoError(t, err) @@ -9865,7 +10195,7 @@ func TestUpdateUserQuotaUsageMock(t *testing.T) { setBearerForReq(req, token) rr = executeRequest(req) checkResponseCode(t, http.StatusBadRequest, rr) - assert.True(t, common.QuotaScans.AddUserQuotaScan(user.Username)) + assert.True(t, common.QuotaScans.AddUserQuotaScan(user.Username, "")) req, _ = http.NewRequest(http.MethodPut, path.Join(quotasBasePath, "users", u.Username, "usage"), bytes.NewBuffer(userAsJSON)) setBearerForReq(req, token) rr = executeRequest(req) @@ -10142,7 +10472,7 @@ func TestStartQuotaScanMock(t *testing.T) { assert.NoError(t, err) } // simulate a duplicate quota scan - common.QuotaScans.AddUserQuotaScan(user.Username) + common.QuotaScans.AddUserQuotaScan(user.Username, "") req, _ = http.NewRequest(http.MethodPost, path.Join(quotasBasePath, "users", user.Username, "scan"), nil) setBearerForReq(req, token) rr = executeRequest(req) @@ -10829,7 +11159,7 @@ func TestWebClientMaxConnections(t *testing.T) { assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) - assert.Len(t, common.Connections.GetStats(), 0) + assert.Len(t, common.Connections.GetStats(""), 0) common.Config.MaxTotalConnections = oldValue } @@ -11095,7 +11425,7 @@ func TestMaxSessions(t *testing.T) { assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) - assert.Len(t, common.Connections.GetStats(), 0) + assert.Len(t, common.Connections.GetStats(""), 0) } func TestSFTPLoopError(t *testing.T) { @@ -11827,7 +12157,7 @@ func TestShareMaxSessions(t *testing.T) { assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) - assert.Len(t, common.Connections.GetStats(), 0) + assert.Len(t, common.Connections.GetStats(""), 0) } func TestShareUploadSingle(t *testing.T) { @@ -15043,7 +15373,7 @@ func TestClientUserClose(t *testing.T) { }() // wait for the transfers assert.Eventually(t, func() bool { - stats := common.Connections.GetStats() + stats := common.Connections.GetStats("") if len(stats) == 3 { if len(stats[0].Transfers) > 0 && len(stats[1].Transfers) > 0 { return true @@ -15052,12 +15382,12 @@ func TestClientUserClose(t *testing.T) { return false }, 1*time.Second, 50*time.Millisecond) - for _, stat := range common.Connections.GetStats() { + for _, stat := range common.Connections.GetStats("") { // close all the active transfers - common.Connections.Close(stat.ConnectionID) + common.Connections.Close(stat.ConnectionID, "") } wg.Wait() - assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, + assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 100*time.Millisecond) _, err = httpdtest.RemoveUser(user, http.StatusOK) @@ -16916,6 +17246,16 @@ func TestAdminUpdateSelfMock(t *testing.T) { rr = executeRequest(req) checkResponseCode(t, http.StatusOK, rr) assert.Contains(t, rr.Body.String(), "You cannot disable yourself") + + form.Set("status", "1") + form.Set("role", "my role") + req, _ = http.NewRequest(http.MethodPost, path.Join(webAdminPath, defaultTokenAuthUser), bytes.NewBuffer([]byte(form.Encode()))) + req.RemoteAddr = defaultRemoteAddr + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + setJWTCookieForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + assert.Contains(t, rr.Body.String(), "You cannot add/change your role") } func TestWebMaintenanceMock(t *testing.T) { @@ -17380,7 +17720,7 @@ func TestWebUserAddMock(t *testing.T) { rr = executeRequest(req) checkResponseCode(t, http.StatusSeeOther, rr) - dbUser, err := dataprovider.UserExists(user.Username) + dbUser, err := dataprovider.UserExists(user.Username, "") assert.NoError(t, err) assert.NotEmpty(t, dbUser.Password) assert.True(t, dbUser.IsPasswordHashed()) @@ -17572,7 +17912,7 @@ func TestWebUserUpdateMock(t *testing.T) { assert.Equal(t, int64(512), user.Filters.BandwidthLimits[0].DownloadBandwidth) } - dbUser, err := dataprovider.UserExists(user.Username) + dbUser, err := dataprovider.UserExists(user.Username, "") assert.NoError(t, err) assert.NotEmpty(t, dbUser.Password) assert.True(t, dbUser.IsPasswordHashed()) @@ -17637,7 +17977,7 @@ func TestWebUserUpdateMock(t *testing.T) { req.Header.Set("Content-Type", contentType) rr = executeRequest(req) checkResponseCode(t, http.StatusSeeOther, rr) - dbUser, err = dataprovider.UserExists(user.Username) + dbUser, err = dataprovider.UserExists(user.Username, "") assert.NoError(t, err) assert.Empty(t, dbUser.Password) assert.False(t, dbUser.IsPasswordHashed()) @@ -17649,7 +17989,7 @@ func TestWebUserUpdateMock(t *testing.T) { req.Header.Set("Content-Type", contentType) rr = executeRequest(req) checkResponseCode(t, http.StatusSeeOther, rr) - dbUser, err = dataprovider.UserExists(user.Username) + dbUser, err = dataprovider.UserExists(user.Username, "") assert.NoError(t, err) assert.NotEmpty(t, dbUser.Password) assert.True(t, dbUser.IsPasswordHashed()) @@ -17662,7 +18002,7 @@ func TestWebUserUpdateMock(t *testing.T) { req.Header.Set("Content-Type", contentType) rr = executeRequest(req) checkResponseCode(t, http.StatusSeeOther, rr) - dbUser, err = dataprovider.UserExists(user.Username) + dbUser, err = dataprovider.UserExists(user.Username, "") assert.NoError(t, err) assert.NotEmpty(t, dbUser.Password) assert.True(t, dbUser.IsPasswordHashed()) @@ -17824,7 +18164,7 @@ func TestUserTemplateWithFoldersMock(t *testing.T) { form.Add("tpl_public_keys", "") form.Set("form_action", "export_from_template") b, contentType, _ := getMultipartFormData(form, "", "") - req, _ := http.NewRequest(http.MethodPost, path.Join(webTemplateUser), &b) + req, _ := http.NewRequest(http.MethodPost, webTemplateUser, &b) setJWTCookieForReq(req, token) req.Header.Set("Content-Type", contentType) rr := executeRequest(req) @@ -17833,7 +18173,7 @@ func TestUserTemplateWithFoldersMock(t *testing.T) { form.Set(csrfFormToken, csrfToken) b, contentType, _ = getMultipartFormData(form, "", "") - req, _ = http.NewRequest(http.MethodPost, path.Join(webTemplateUser), &b) + req, _ = http.NewRequest(http.MethodPost, webTemplateUser, &b) setJWTCookieForReq(req, token) req.Header.Set("Content-Type", contentType) rr = executeRequest(req) @@ -17844,7 +18184,7 @@ func TestUserTemplateWithFoldersMock(t *testing.T) { assert.NoError(t, err, string(resp)) b, contentType, _ = getMultipartFormData(form, "", "") - req, _ = http.NewRequest(http.MethodPost, path.Join(webTemplateUser), &b) + req, _ = http.NewRequest(http.MethodPost, webTemplateUser, &b) setJWTCookieForReq(req, token) req.Header.Set("Content-Type", contentType) rr = executeRequest(req) @@ -18140,7 +18480,7 @@ func TestUserPlaceholders(t *testing.T) { assert.NoError(t, err) assert.Equal(t, filepath.Join(os.TempDir(), fmt.Sprintf("%v_%v", defaultUsername, defaultPassword)), user.HomeDir) - dbUser, err := dataprovider.UserExists(defaultUsername) + dbUser, err := dataprovider.UserExists(defaultUsername, "") assert.NoError(t, err) assert.True(t, dbUser.IsPasswordHashed()) hashedPwd := dbUser.Password @@ -18158,7 +18498,7 @@ func TestUserPlaceholders(t *testing.T) { assert.NoError(t, err) assert.Equal(t, filepath.Join(os.TempDir(), defaultUsername+"_%password%"), user.HomeDir) // check that the password was unchanged - dbUser, err = dataprovider.UserExists(defaultUsername) + dbUser, err = dataprovider.UserExists(defaultUsername, "") assert.NoError(t, err) assert.True(t, dbUser.IsPasswordHashed()) assert.Equal(t, hashedPwd, dbUser.Password) @@ -19305,6 +19645,74 @@ func TestWebUserSFTPFsMock(t *testing.T) { checkResponseCode(t, http.StatusOK, rr) } +func TestWebUserRole(t *testing.T) { + role, resp, err := httpdtest.AddRole(getTestRole(), http.StatusCreated) + assert.NoError(t, err, string(resp)) + a := getTestAdmin() + a.Username = altAdminUsername + a.Password = altAdminPassword + a.Role = role.Name + a.Permissions = []string{dataprovider.PermAdminAddUsers, dataprovider.PermAdminChangeUsers, + dataprovider.PermAdminDeleteUsers, dataprovider.PermAdminViewUsers} + admin, _, err := httpdtest.AddAdmin(a, http.StatusCreated) + assert.NoError(t, err) + webToken, err := getJWTWebTokenFromTestServer(altAdminUsername, altAdminPassword) + assert.NoError(t, err) + csrfToken, err := getCSRFToken(httpBaseURL + webLoginPath) + assert.NoError(t, err) + user := getTestUser() + form := make(url.Values) + form.Set(csrfFormToken, csrfToken) + form.Set("username", user.Username) + form.Set("home_dir", user.HomeDir) + form.Set("password", user.Password) + form.Set("status", strconv.Itoa(user.Status)) + form.Set("permissions", "*") + form.Set("external_auth_cache_time", "0") + form.Set("uid", "0") + form.Set("gid", "0") + form.Set("max_sessions", "0") + form.Set("quota_size", "0") + form.Set("quota_files", "0") + form.Set("upload_bandwidth", strconv.FormatInt(user.UploadBandwidth, 10)) + form.Set("download_bandwidth", strconv.FormatInt(user.DownloadBandwidth, 10)) + form.Set("upload_data_transfer", strconv.FormatInt(user.UploadDataTransfer, 10)) + form.Set("download_data_transfer", strconv.FormatInt(user.DownloadDataTransfer, 10)) + form.Set("total_data_transfer", strconv.FormatInt(user.TotalDataTransfer, 10)) + form.Set("max_upload_file_size", "0") + form.Set("default_shares_expiration", "10") + b, contentType, _ := getMultipartFormData(form, "", "") + req, err := http.NewRequest(http.MethodPost, webUserPath, &b) + assert.NoError(t, err) + setJWTCookieForReq(req, webToken) + req.Header.Set("Content-Type", contentType) + rr := executeRequest(req) + checkResponseCode(t, http.StatusSeeOther, rr) + + user, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK) + assert.NoError(t, err) + assert.Equal(t, role.Name, user.Role) + + form.Set("role", "") + b, contentType, _ = getMultipartFormData(form, "", "") + req, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b) + setJWTCookieForReq(req, webToken) + req.Header.Set("Content-Type", contentType) + rr = executeRequest(req) + checkResponseCode(t, http.StatusSeeOther, rr) + + user, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK) + assert.NoError(t, err) + assert.Equal(t, role.Name, user.Role) + + _, err = httpdtest.RemoveUser(user, http.StatusOK) + assert.NoError(t, err) + _, err = httpdtest.RemoveAdmin(admin, http.StatusOK) + assert.NoError(t, err) + _, err = httpdtest.RemoveRole(role, http.StatusOK) + assert.NoError(t, err) +} + func TestWebEventAction(t *testing.T) { webToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass) assert.NoError(t, err) @@ -19985,6 +20393,110 @@ func TestWebEventRule(t *testing.T) { checkResponseCode(t, http.StatusOK, rr) } +func TestWebRole(t *testing.T) { + webToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass) + assert.NoError(t, err) + csrfToken, err := getCSRFToken(httpBaseURL + webLoginPath) + assert.NoError(t, err) + role := getTestRole() + form := make(url.Values) + form.Set("name", "") + form.Set("description", role.Description) + req, err := http.NewRequest(http.MethodPost, webAdminRolePath, bytes.NewBuffer([]byte(form.Encode()))) + assert.NoError(t, err) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + setJWTCookieForReq(req, webToken) + rr := executeRequest(req) + checkResponseCode(t, http.StatusForbidden, rr) + assert.Contains(t, rr.Body.String(), "unable to verify form token") + + form.Set(csrfFormToken, csrfToken) + req, err = http.NewRequest(http.MethodPost, webAdminRolePath, bytes.NewBuffer([]byte(form.Encode()))) + assert.NoError(t, err) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + setJWTCookieForReq(req, webToken) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + assert.Contains(t, rr.Body.String(), "name is mandatory") + form.Set("name", role.Name) + req, err = http.NewRequest(http.MethodPost, webAdminRolePath, bytes.NewBuffer([]byte(form.Encode()))) + assert.NoError(t, err) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + setJWTCookieForReq(req, webToken) + rr = executeRequest(req) + checkResponseCode(t, http.StatusSeeOther, rr) + // a new add will fail + req, err = http.NewRequest(http.MethodPost, webAdminRolePath, bytes.NewBuffer([]byte(form.Encode()))) + assert.NoError(t, err) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + setJWTCookieForReq(req, webToken) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + // list roles + req, err = http.NewRequest(http.MethodGet, webAdminRolesPath, nil) + assert.NoError(t, err) + setJWTCookieForReq(req, webToken) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + // render the new role page + req, err = http.NewRequest(http.MethodGet, webAdminRolePath, nil) + assert.NoError(t, err) + setJWTCookieForReq(req, webToken) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + req, err = http.NewRequest(http.MethodGet, path.Join(webAdminRolePath, role.Name), nil) + assert.NoError(t, err) + setJWTCookieForReq(req, webToken) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + req, err = http.NewRequest(http.MethodGet, path.Join(webAdminRolePath, "missing_role"), nil) + assert.NoError(t, err) + setJWTCookieForReq(req, webToken) + rr = executeRequest(req) + checkResponseCode(t, http.StatusNotFound, rr) + // parse form error + req, err = http.NewRequest(http.MethodPost, path.Join(webAdminRolePath, role.Name)+"?param=p%C4%AO%GH", + bytes.NewBuffer([]byte(form.Encode()))) + assert.NoError(t, err) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + setJWTCookieForReq(req, webToken) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + assert.Contains(t, rr.Body.String(), "invalid URL escape") + // update role + form.Set("description", "new desc") + req, err = http.NewRequest(http.MethodPost, path.Join(webAdminRolePath, role.Name), bytes.NewBuffer([]byte(form.Encode()))) + assert.NoError(t, err) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + setJWTCookieForReq(req, webToken) + rr = executeRequest(req) + checkResponseCode(t, http.StatusSeeOther, rr) + // check the changes + role, _, err = httpdtest.GetRoleByName(role.Name, http.StatusOK) + assert.NoError(t, err) + assert.Equal(t, "new desc", role.Description) + // no CSRF token + form.Set(csrfFormToken, "") + req, err = http.NewRequest(http.MethodPost, path.Join(webAdminRolePath, role.Name), bytes.NewBuffer([]byte(form.Encode()))) + assert.NoError(t, err) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + setJWTCookieForReq(req, webToken) + rr = executeRequest(req) + checkResponseCode(t, http.StatusForbidden, rr) + assert.Contains(t, rr.Body.String(), "unable to verify form token") + // missing role + form.Set(csrfFormToken, csrfToken) + req, err = http.NewRequest(http.MethodPost, path.Join(webAdminRolePath, "missing"), bytes.NewBuffer([]byte(form.Encode()))) + assert.NoError(t, err) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + setJWTCookieForReq(req, webToken) + rr = executeRequest(req) + checkResponseCode(t, http.StatusNotFound, rr) + + _, err = httpdtest.RemoveRole(role, http.StatusOK) + assert.NoError(t, err) +} + func TestAddWebGroup(t *testing.T) { webToken, err := getJWTWebTokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass) assert.NoError(t, err) @@ -21187,7 +21699,7 @@ func TestAPIForgotPassword(t *testing.T) { checkResponseCode(t, http.StatusBadRequest, rr) assert.Contains(t, rr.Body.String(), "confirmation code not found") - user, err = dataprovider.UserExists(defaultUsername) + user, err = dataprovider.UserExists(defaultUsername, "") assert.NoError(t, err) err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(altAdminPassword)) assert.NoError(t, err) @@ -21254,6 +21766,20 @@ func TestProviderClosedMock(t *testing.T) { assert.NoError(t, err) csrfToken, err := getCSRFToken(httpBaseURL + webLoginPath) assert.NoError(t, err) + // create a role admin + role, resp, err := httpdtest.AddRole(getTestRole(), http.StatusCreated) + assert.NoError(t, err, string(resp)) + a := getTestAdmin() + a.Username = altAdminUsername + a.Password = altAdminPassword + a.Role = role.Name + a.Permissions = []string{dataprovider.PermAdminAddUsers, dataprovider.PermAdminChangeUsers, + dataprovider.PermAdminDeleteUsers, dataprovider.PermAdminViewUsers} + admin, _, err := httpdtest.AddAdmin(a, http.StatusCreated) + assert.NoError(t, err) + altToken, err := getJWTWebTokenFromTestServer(altAdminUsername, altAdminPassword) + assert.NoError(t, err) + dataprovider.Close() req, _ := http.NewRequest(http.MethodGet, webFoldersPath, nil) setJWTCookieForReq(req, token) @@ -21299,12 +21825,46 @@ func TestProviderClosedMock(t *testing.T) { rr = executeRequest(req) checkResponseCode(t, http.StatusInternalServerError, rr) + req, _ = http.NewRequest(http.MethodPost, webUserPath, strings.NewReader(form.Encode())) + setJWTCookieForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusInternalServerError, rr) + + req, _ = http.NewRequest(http.MethodPost, webUserPath, strings.NewReader(form.Encode())) + setJWTCookieForReq(req, altToken) + rr = executeRequest(req) + checkResponseCode(t, http.StatusInternalServerError, rr) + + req, err = http.NewRequest(http.MethodGet, webAdminRolesPath, nil) + assert.NoError(t, err) + setJWTCookieForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusInternalServerError, rr) + + req, err = http.NewRequest(http.MethodGet, path.Join(webAdminRolePath, role.Name), nil) + assert.NoError(t, err) + setJWTCookieForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusInternalServerError, rr) + + req, err = http.NewRequest(http.MethodPost, path.Join(webAdminRolePath, role.Name), strings.NewReader(form.Encode())) + assert.NoError(t, err) + setJWTCookieForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusInternalServerError, rr) + err = config.LoadConfig(configDir, "") assert.NoError(t, err) providerConf := config.GetProviderConf() providerConf.BackupsPath = backupsPath err = dataprovider.Initialize(providerConf, configDir, true) assert.NoError(t, err) + if config.GetProviderConf().Driver != dataprovider.MemoryDataProviderName { + _, err = httpdtest.RemoveAdmin(admin, http.StatusOK) + assert.NoError(t, err) + _, err = httpdtest.RemoveRole(role, http.StatusOK) + assert.NoError(t, err) + } } func TestWebConnectionsMock(t *testing.T) { @@ -21513,6 +22073,13 @@ func getTestGroup() dataprovider.Group { } } +func getTestRole() dataprovider.Role { + return dataprovider.Role{ + Name: "test_role", + Description: "test role description", + } +} + func getTestUser() dataprovider.User { user := dataprovider.User{ BaseUser: sdk.BaseUser{ diff --git a/internal/httpd/internal_test.go b/internal/httpd/internal_test.go index 315cbbbf..2da4c782 100644 --- a/internal/httpd/internal_test.go +++ b/internal/httpd/internal_test.go @@ -40,8 +40,8 @@ import ( "github.com/go-chi/chi/v5/middleware" "github.com/go-chi/jwtauth/v5" "github.com/klauspost/compress/zip" - "github.com/lestrrat-go/jwx/jwa" - "github.com/lestrrat-go/jwx/jwt" + "github.com/lestrrat-go/jwx/v2/jwa" + "github.com/lestrrat-go/jwx/v2/jwt" "github.com/rs/xid" "github.com/sftpgo/sdk" "github.com/stretchr/testify/assert" @@ -686,6 +686,86 @@ func TestInvalidToken(t *testing.T) { assert.Equal(t, http.StatusBadRequest, rr.Code) assert.Contains(t, rr.Body.String(), "Invalid token claims") + rr = httptest.NewRecorder() + getMetadataChecks(rr, req) + assert.Equal(t, http.StatusBadRequest, rr.Code) + assert.Contains(t, rr.Body.String(), "Invalid token claims") + + rr = httptest.NewRecorder() + startMetadataCheck(rr, req) + assert.Equal(t, http.StatusBadRequest, rr.Code) + assert.Contains(t, rr.Body.String(), "Invalid token claims") + + rr = httptest.NewRecorder() + getUsersQuotaScans(rr, req) + assert.Equal(t, http.StatusBadRequest, rr.Code) + assert.Contains(t, rr.Body.String(), "Invalid token claims") + + rr = httptest.NewRecorder() + updateUserTransferQuotaUsage(rr, req) + assert.Equal(t, http.StatusBadRequest, rr.Code) + assert.Contains(t, rr.Body.String(), "Invalid token claims") + + rr = httptest.NewRecorder() + doUpdateUserQuotaUsage(rr, req, "", quotaUsage{}) + assert.Equal(t, http.StatusBadRequest, rr.Code) + assert.Contains(t, rr.Body.String(), "Invalid token claims") + + rr = httptest.NewRecorder() + doStartUserQuotaScan(rr, req, "") + assert.Equal(t, http.StatusBadRequest, rr.Code) + assert.Contains(t, rr.Body.String(), "Invalid token claims") + + rr = httptest.NewRecorder() + getRetentionChecks(rr, req) + assert.Equal(t, http.StatusBadRequest, rr.Code) + assert.Contains(t, rr.Body.String(), "Invalid token claims") + + rr = httptest.NewRecorder() + addRole(rr, req) + assert.Equal(t, http.StatusBadRequest, rr.Code) + assert.Contains(t, rr.Body.String(), "Invalid token claims") + + rr = httptest.NewRecorder() + updateRole(rr, req) + assert.Equal(t, http.StatusBadRequest, rr.Code) + assert.Contains(t, rr.Body.String(), "Invalid token claims") + + rr = httptest.NewRecorder() + deleteRole(rr, req) + assert.Equal(t, http.StatusBadRequest, rr.Code) + assert.Contains(t, rr.Body.String(), "Invalid token claims") + + rr = httptest.NewRecorder() + getUsers(rr, req) + assert.Equal(t, http.StatusBadRequest, rr.Code) + assert.Contains(t, rr.Body.String(), "Invalid token claims") + + rr = httptest.NewRecorder() + getUserByUsername(rr, req) + assert.Equal(t, http.StatusBadRequest, rr.Code) + assert.Contains(t, rr.Body.String(), "Invalid token claims") + + rr = httptest.NewRecorder() + server.handleGetWebUsers(rr, req) + assert.Equal(t, http.StatusBadRequest, rr.Code) + assert.Contains(t, rr.Body.String(), "invalid token claims") + + rr = httptest.NewRecorder() + server.handleWebUpdateUserGet(rr, req) + assert.Equal(t, http.StatusBadRequest, rr.Code) + assert.Contains(t, rr.Body.String(), "invalid token claims") + + rr = httptest.NewRecorder() + server.handleWebUpdateRolePost(rr, req) + assert.Equal(t, http.StatusBadRequest, rr.Code) + assert.Contains(t, rr.Body.String(), "invalid token claims") + + rr = httptest.NewRecorder() + server.handleWebAddRolePost(rr, req) + assert.Equal(t, http.StatusBadRequest, rr.Code) + assert.Contains(t, rr.Body.String(), "invalid token claims") + rr = httptest.NewRecorder() server.handleWebAddAdminPost(rr, req) assert.Equal(t, http.StatusBadRequest, rr.Code) @@ -806,7 +886,7 @@ func TestRetentionInvalidTokenClaims(t *testing.T) { assert.Equal(t, http.StatusBadRequest, rr.Code) assert.Contains(t, rr.Body.String(), "Invalid token claims") - err = dataprovider.DeleteUser(username, "", "") + err = dataprovider.DeleteUser(username, "", "", "") assert.NoError(t, err) } @@ -1030,6 +1110,13 @@ func TestCreateTokenError(t *testing.T) { assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String()) assert.Contains(t, rr.Body.String(), "invalid URL escape") + req, _ = http.NewRequest(http.MethodPost, webAdminRolePath+"?a=a%C3%AO%JE", bytes.NewBuffer([]byte(form.Encode()))) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + rr = httptest.NewRecorder() + server.handleWebAddRolePost(rr, req) + assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String()) + assert.Contains(t, rr.Body.String(), "invalid URL escape") + req, _ = http.NewRequest(http.MethodPost, webClientResetPwdPath+"?a=a%C3%AO%JD", bytes.NewBuffer([]byte(form.Encode()))) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") rr = httptest.NewRecorder() @@ -1074,7 +1161,7 @@ func TestCreateTokenError(t *testing.T) { err = authenticateUserWithAPIKey(username, "", server.tokenAuth, req) assert.Error(t, err) - err = dataprovider.DeleteUser(username, "", "") + err = dataprovider.DeleteUser(username, "", "", "") assert.NoError(t, err) err = os.RemoveAll(user.HomeDir) assert.NoError(t, err) @@ -1341,13 +1428,13 @@ func TestCookieExpiration(t *testing.T) { cookie = rr.Header().Get("Set-Cookie") assert.Empty(t, cookie) - user, err = dataprovider.UserExists(user.Username) + user, err = dataprovider.UserExists(user.Username, "") assert.NoError(t, err) user.Filters.AllowedIP = []string{"172.16.4.0/24"} err = dataprovider.UpdateUser(&user, "", "") assert.NoError(t, err) - user, err = dataprovider.UserExists(user.Username) + user, err = dataprovider.UserExists(user.Username, "") assert.NoError(t, err) claims = make(map[string]any) claims[claimUsernameKey] = user.Username @@ -1372,7 +1459,7 @@ func TestCookieExpiration(t *testing.T) { cookie = rr.Header().Get("Set-Cookie") assert.NotEmpty(t, cookie) - err = dataprovider.DeleteUser(user.Username, "", "") + err = dataprovider.DeleteUser(user.Username, "", "", "") assert.NoError(t, err) } @@ -1451,7 +1538,7 @@ func TestQuotaScanInvalidFs(t *testing.T) { Provider: sdk.S3FilesystemProvider, }, } - common.QuotaScans.AddUserQuotaScan(user.Username) + common.QuotaScans.AddUserQuotaScan(user.Username, "") err := doUserQuotaScan(user) assert.Error(t, err) } @@ -2437,21 +2524,28 @@ func TestMetadataAPI(t *testing.T) { err := dataprovider.AddUser(&user, "", "") assert.NoError(t, err) - assert.True(t, common.ActiveMetadataChecks.Add(username)) + assert.True(t, common.ActiveMetadataChecks.Add(username, "")) + tokenAuth := jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil) + claims := make(map[string]any) + claims["username"] = defaultAdminUsername + claims[jwt.ExpirationKey] = time.Now().UTC().Add(1 * time.Hour) + token, _, err := tokenAuth.Encode(claims) + assert.NoError(t, err) req, err := http.NewRequest(http.MethodPost, path.Join(metadataBasePath, username, "check"), nil) assert.NoError(t, err) rctx := chi.NewRouteContext() rctx.URLParams.Add("username", username) req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx)) + req = req.WithContext(context.WithValue(req.Context(), jwtauth.TokenCtxKey, token)) rr := httptest.NewRecorder() startMetadataCheck(rr, req) - assert.Equal(t, http.StatusConflict, rr.Code) + assert.Equal(t, http.StatusConflict, rr.Code, rr.Body.String()) assert.True(t, common.ActiveMetadataChecks.Remove(username)) - assert.Len(t, common.ActiveMetadataChecks.Get(), 0) - err = dataprovider.DeleteUser(username, "", "") + assert.Len(t, common.ActiveMetadataChecks.Get(""), 0) + err = dataprovider.DeleteUser(username, "", "", "") assert.NoError(t, err) user.FsConfig.Provider = sdk.AzureBlobFilesystemProvider diff --git a/internal/httpd/middleware.go b/internal/httpd/middleware.go index e608b387..d257e1b8 100644 --- a/internal/httpd/middleware.go +++ b/internal/httpd/middleware.go @@ -21,7 +21,7 @@ import ( "strings" "github.com/go-chi/jwtauth/v5" - "github.com/lestrrat-go/jwx/jwt" + "github.com/lestrrat-go/jwx/v2/jwt" "github.com/rs/xid" "github.com/sftpgo/sdk" @@ -320,7 +320,7 @@ func checkNodeToken(tokenAuth *jwtauth.JWTAuth) func(next http.Handler) http.Han if len(token) > 7 && strings.ToUpper(token[0:6]) == "BEARER" { token = token[7:] } - admin, err := dataprovider.AuthenticateNodeToken(token) + admin, role, err := dataprovider.AuthenticateNodeToken(token) if err != nil { logger.Debug(logSender, "", "unable to authenticate node token %q: %v", token, err) sendAPIResponse(w, r, fmt.Errorf("the provided token cannot be authenticated"), "", http.StatusUnauthorized) @@ -330,6 +330,7 @@ func checkNodeToken(tokenAuth *jwtauth.JWTAuth) func(next http.Handler) http.Han Username: admin, Permissions: []string{dataprovider.PermAdminViewConnections, dataprovider.PermAdminCloseConnections}, NodeID: dataprovider.GetNodeName(), + Role: role, } resp, err := c.createTokenResponse(tokenAuth, tokenAudienceAPI, util.GetIPFromRemoteAddress(r.RemoteAddr)) if err != nil { @@ -468,7 +469,7 @@ func authenticateUserWithAPIKey(username, keyID string, tokenAuth *jwtauth.JWTAu if err := common.Config.ExecutePostConnectHook(ipAddr, protocol); err != nil { return err } - user, err := dataprovider.GetUserWithGroupSettings(username) + user, err := dataprovider.GetUserWithGroupSettings(username, "") if err != nil { updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, dataprovider.LoginMethodPassword, ipAddr, err) diff --git a/internal/httpd/oidc.go b/internal/httpd/oidc.go index 699109b6..1b37437f 100644 --- a/internal/httpd/oidc.go +++ b/internal/httpd/oidc.go @@ -205,6 +205,7 @@ type oidcToken struct { Username string `json:"username"` Permissions []string `json:"permissions"` HideUserPageSections int `json:"hide_user_page_sections,omitempty"` + AdminRole string `json:"admin_role,omitempty"` Role any `json:"role"` CustomFields *map[string]any `json:"custom_fields,omitempty"` Cookie string `json:"cookie"` @@ -389,10 +390,11 @@ func (t *oidcToken) refreshUser(r *http.Request) error { return err } t.Permissions = admin.Permissions + t.AdminRole = admin.Role t.HideUserPageSections = admin.Filters.Preferences.HideUserPageSections return nil } - user, err := dataprovider.GetUserWithGroupSettings(t.Username) + user, err := dataprovider.GetUserWithGroupSettings(t.Username, "") if err != nil { return err } @@ -416,6 +418,7 @@ func (t *oidcToken) getUser(r *http.Request) error { return err } t.Permissions = admin.Permissions + t.AdminRole = admin.Role t.HideUserPageSections = admin.Filters.Preferences.HideUserPageSections dataprovider.UpdateAdminLastLogin(&admin) return nil @@ -515,6 +518,7 @@ func (s *httpdServer) oidcTokenAuthenticator(audience tokenAudience) func(next h jwtTokenClaims := jwtTokenClaims{ Username: token.Username, Permissions: token.Permissions, + Role: token.AdminRole, HideUserPageSections: token.HideUserPageSections, } _, tokenString, err := jwtTokenClaims.createToken(s.tokenAuth, audience, util.GetIPFromRemoteAddress(r.RemoteAddr)) diff --git a/internal/httpd/oidc_test.go b/internal/httpd/oidc_test.go index a612e23e..d5e3318c 100644 --- a/internal/httpd/oidc_test.go +++ b/internal/httpd/oidc_test.go @@ -32,7 +32,7 @@ import ( "github.com/coreos/go-oidc/v3/oidc" "github.com/go-chi/jwtauth/v5" - "github.com/lestrrat-go/jwx/jwa" + "github.com/lestrrat-go/jwx/v2/jwa" "github.com/rs/xid" "github.com/sftpgo/sdk" "github.com/stretchr/testify/assert" @@ -521,7 +521,7 @@ func TestOIDCLoginLogout(t *testing.T) { err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) - err = dataprovider.DeleteUser(username, "", "") + err = dataprovider.DeleteUser(username, "", "", "") assert.NoError(t, err) } @@ -706,7 +706,7 @@ func TestOIDCRefreshUser(t *testing.T) { if assert.Error(t, err) { assert.Contains(t, err.Error(), "is disabled") } - user, err = dataprovider.UserExists(username) + user, err = dataprovider.UserExists(username, "") assert.NoError(t, err) user.Status = 1 err = dataprovider.UpdateUser(&user, "", "") @@ -723,7 +723,7 @@ func TestOIDCRefreshUser(t *testing.T) { assert.NoError(t, err) assert.Equal(t, user.Filters.WebClient, token.Permissions) - err = dataprovider.DeleteUser(username, "", "") + err = dataprovider.DeleteUser(username, "", "", "") assert.NoError(t, err) } @@ -877,7 +877,7 @@ func TestOIDCToken(t *testing.T) { if assert.Error(t, err) { assert.Contains(t, err.Error(), "is disabled") } - user, err = dataprovider.UserExists(username) + user, err = dataprovider.UserExists(username, "") assert.NoError(t, err) user.Status = 1 user.Password = "np" @@ -916,7 +916,7 @@ func TestOIDCToken(t *testing.T) { err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) - err = dataprovider.DeleteUser(username, "", "") + err = dataprovider.DeleteUser(username, "", "", "") assert.NoError(t, err) } @@ -1039,7 +1039,7 @@ func TestOIDCImplicitRoles(t *testing.T) { err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) - err = dataprovider.DeleteUser(username, "", "") + err = dataprovider.DeleteUser(username, "", "", "") assert.NoError(t, err) } @@ -1164,7 +1164,7 @@ func TestOIDCPreLoginHook(t *testing.T) { assert.NoError(t, err) server.initializeRouter() - _, err = dataprovider.UserExists(username) + _, err = dataprovider.UserExists(username, "") _, ok = err.(*util.RecordNotFoundError) assert.True(t, ok) // now login with OIDC @@ -1197,10 +1197,10 @@ func TestOIDCPreLoginHook(t *testing.T) { server.router.ServeHTTP(rr, r) assert.Equal(t, http.StatusFound, rr.Code) assert.Equal(t, webClientFilesPath, rr.Header().Get("Location")) - _, err = dataprovider.UserExists(username) + _, err = dataprovider.UserExists(username, "") assert.NoError(t, err) - err = dataprovider.DeleteUser(username, "", "") + err = dataprovider.DeleteUser(username, "", "", "") assert.NoError(t, err) err = os.RemoveAll(u.HomeDir) assert.NoError(t, err) @@ -1225,7 +1225,7 @@ func TestOIDCPreLoginHook(t *testing.T) { server.router.ServeHTTP(rr, r) assert.Equal(t, http.StatusFound, rr.Code) assert.Equal(t, webClientLoginPath, rr.Header().Get("Location")) - _, err = dataprovider.UserExists(username) + _, err = dataprovider.UserExists(username, "") _, ok = err.(*util.RecordNotFoundError) assert.True(t, ok) if assert.Len(t, oidcMgr.tokens, 1) { diff --git a/internal/httpd/server.go b/internal/httpd/server.go index e895e300..b86677b7 100644 --- a/internal/httpd/server.go +++ b/internal/httpd/server.go @@ -31,7 +31,7 @@ import ( "github.com/go-chi/chi/v5/middleware" "github.com/go-chi/jwtauth/v5" "github.com/go-chi/render" - "github.com/lestrrat-go/jwx/jwa" + "github.com/lestrrat-go/jwx/v2/jwa" "github.com/rs/cors" "github.com/rs/xid" "github.com/sftpgo/sdk" @@ -329,7 +329,7 @@ func (s *httpdServer) handleWebClientTwoFactorRecoveryPost(w http.ResponseWriter s.renderClientTwoFactorRecoveryPage(w, err.Error(), ipAddr) return } - user, userMerged, err := dataprovider.GetUserVariants(username) + user, userMerged, err := dataprovider.GetUserVariants(username, "") if err != nil { s.renderClientTwoFactorRecoveryPage(w, "Invalid credentials", ipAddr) return @@ -386,7 +386,7 @@ func (s *httpdServer) handleWebClientTwoFactorPost(w http.ResponseWriter, r *htt s.renderClientTwoFactorPage(w, err.Error(), ipAddr) return } - user, err := dataprovider.GetUserWithGroupSettings(username) + user, err := dataprovider.GetUserWithGroupSettings(username, "") if err != nil { s.renderClientTwoFactorPage(w, "Invalid credentials", ipAddr) return @@ -719,6 +719,7 @@ func (s *httpdServer) loginAdmin( c := jwtTokenClaims{ Username: admin.Username, Permissions: admin.Permissions, + Role: admin.Role, Signature: admin.GetSignature(), HideUserPageSections: admin.Filters.Preferences.HideUserPageSections, } @@ -901,6 +902,7 @@ func (s *httpdServer) generateAndSendToken(w http.ResponseWriter, r *http.Reques c := jwtTokenClaims{ Username: admin.Username, Permissions: admin.Permissions, + Role: admin.Role, Signature: admin.GetSignature(), } @@ -939,7 +941,7 @@ func (s *httpdServer) checkCookieExpiration(w http.ResponseWriter, r *http.Reque } func (s *httpdServer) refreshClientToken(w http.ResponseWriter, r *http.Request, tokenClaims jwtTokenClaims) { - user, err := dataprovider.GetUserWithGroupSettings(tokenClaims.Username) + user, err := dataprovider.GetUserWithGroupSettings(tokenClaims.Username, "") if err != nil { return } @@ -976,6 +978,7 @@ func (s *httpdServer) refreshAdminToken(w http.ResponseWriter, r *http.Request, return } tokenClaims.Permissions = admin.Permissions + tokenClaims.Role = admin.Role tokenClaims.HideUserPageSections = admin.Filters.Preferences.HideUserPageSections logger.Debug(logSender, "", "cookie refreshed for admin %#v", admin.Username) tokenClaims.createAndSetCookie(w, r, s.tokenAuth, tokenAudienceWebAdmin, ipAddr) //nolint:errcheck @@ -1294,6 +1297,11 @@ func (s *httpdServer) initializeRouter() { router.With(s.checkPerm(dataprovider.PermAdminManageEventRules)).Post(eventRulesPath, addEventRule) router.With(s.checkPerm(dataprovider.PermAdminManageEventRules)).Put(eventRulesPath+"/{name}", updateEventRule) router.With(s.checkPerm(dataprovider.PermAdminManageEventRules)).Delete(eventRulesPath+"/{name}", deleteEventRule) + router.With(s.checkPerm(dataprovider.PermAdminManageRoles)).Get(rolesPath, getRoles) + router.With(s.checkPerm(dataprovider.PermAdminManageRoles)).Get(rolesPath+"/{name}", getRoleByName) + router.With(s.checkPerm(dataprovider.PermAdminManageRoles)).Post(rolesPath, addRole) + router.With(s.checkPerm(dataprovider.PermAdminManageRoles)).Put(rolesPath+"/{name}", updateRole) + router.With(s.checkPerm(dataprovider.PermAdminManageRoles)).Delete(rolesPath+"/{name}", deleteRole) }) s.router.Get(userTokenPath, s.getUserToken) @@ -1640,6 +1648,17 @@ func (s *httpdServer) setupWebAdminRoutes() { s.handleWebUpdateEventRulePost) router.With(s.checkPerm(dataprovider.PermAdminManageEventRules), verifyCSRFHeader). Delete(webAdminEventRulePath+"/{name}", deleteEventRule) + router.With(s.checkPerm(dataprovider.PermAdminManageRoles), s.refreshCookie). + Get(webAdminRolesPath, s.handleWebGetRoles) + router.With(s.checkPerm(dataprovider.PermAdminManageRoles), s.refreshCookie). + Get(webAdminRolePath, s.handleWebAddRoleGet) + router.With(s.checkPerm(dataprovider.PermAdminManageRoles)).Post(webAdminRolePath, s.handleWebAddRolePost) + router.With(s.checkPerm(dataprovider.PermAdminManageRoles), s.refreshCookie). + Get(webAdminRolePath+"/{name}", s.handleWebUpdateRoleGet) + router.With(s.checkPerm(dataprovider.PermAdminManageRoles)).Post(webAdminRolePath+"/{name}", + s.handleWebUpdateRolePost) + router.With(s.checkPerm(dataprovider.PermAdminManageRoles), verifyCSRFHeader). + Delete(webAdminRolePath+"/{name}", deleteRole) }) } } diff --git a/internal/httpd/webadmin.go b/internal/httpd/webadmin.go index b0f47976..a3f5f6d6 100644 --- a/internal/httpd/webadmin.go +++ b/internal/httpd/webadmin.go @@ -84,6 +84,8 @@ const ( templateEventRule = "eventrule.html" templateEventActions = "eventactions.html" templateEventAction = "eventaction.html" + templateRoles = "roles.html" + templateRole = "role.html" templateMessage = "message.html" templateStatus = "status.html" templateLogin = "login.html" @@ -101,6 +103,7 @@ const ( pageGroupsTitle = "Groups" pageEventRulesTitle = "Event rules" pageEventActionsTitle = "Event actions" + pageRolesTitle = "Roles" pageProfileTitle = "My profile" pageChangePwdTitle = "Change password" pageMaintenanceTitle = "Maintenance" @@ -140,6 +143,8 @@ type basePage struct { EventRuleURL string EventActionsURL string EventActionURL string + RolesURL string + RoleURL string FolderQuotaScanURL string StatusURL string MaintenanceURL string @@ -151,6 +156,7 @@ type basePage struct { GroupsTitle string EventRulesTitle string EventActionsTitle string + RolesTitle string StatusTitle string MaintenanceTitle string DefenderTitle string @@ -183,6 +189,11 @@ type groupsPage struct { Groups []dataprovider.Group } +type rolesPage struct { + basePage + Roles []dataprovider.Role +} + type eventRulesPage struct { basePage Rules []dataprovider.EventRule @@ -226,6 +237,7 @@ type userPage struct { Mode userPageMode VirtualFolders []vfs.BaseVirtualFolder Groups []dataprovider.Group + Roles []dataprovider.Role CanImpersonate bool FsWrapper fsWrapper } @@ -234,6 +246,7 @@ type adminPage struct { basePage Admin *dataprovider.Admin Groups []dataprovider.Group + Roles []dataprovider.Role Error string IsAdd bool } @@ -304,6 +317,13 @@ type groupPage struct { FsWrapper fsWrapper } +type rolePage struct { + basePage + Role *dataprovider.Role + Error string + Mode genericPageMode +} + type eventActionPage struct { basePage Action dataprovider.BaseEventAction @@ -475,6 +495,16 @@ func loadAdminTemplates(templatesPath string) { filepath.Join(templatesPath, templateCommonDir, templateCommonCSS), filepath.Join(templatesPath, templateCommonDir, templateResetPassword), } + rolesPaths := []string{ + filepath.Join(templatesPath, templateCommonDir, templateCommonCSS), + filepath.Join(templatesPath, templateAdminDir, templateBase), + filepath.Join(templatesPath, templateAdminDir, templateRoles), + } + rolePaths := []string{ + filepath.Join(templatesPath, templateCommonDir, templateCommonCSS), + filepath.Join(templatesPath, templateAdminDir, templateBase), + filepath.Join(templatesPath, templateAdminDir, templateRole), + } fsBaseTpl := template.New("fsBaseTemplate").Funcs(template.FuncMap{ "ListFSProviders": func() []sdk.FilesystemProvider { @@ -511,6 +541,8 @@ func loadAdminTemplates(templatesPath string) { setupTmpl := util.LoadTemplate(nil, setupPaths...) forgotPwdTmpl := util.LoadTemplate(nil, forgotPwdPaths...) resetPwdTmpl := util.LoadTemplate(nil, resetPwdPaths...) + rolesTmpl := util.LoadTemplate(nil, rolesPaths...) + roleTmpl := util.LoadTemplate(nil, rolePaths...) adminTemplates[templateUsers] = usersTmpl adminTemplates[templateUser] = userTmpl @@ -538,6 +570,8 @@ func loadAdminTemplates(templatesPath string) { adminTemplates[templateSetup] = setupTmpl adminTemplates[templateForgotPassword] = forgotPwdTmpl adminTemplates[templateResetPassword] = resetPwdTmpl + adminTemplates[templateRoles] = rolesTmpl + adminTemplates[templateRole] = roleTmpl } func isEventManagerResource(currentURL string) bool { @@ -583,6 +617,8 @@ func (s *httpdServer) getBasePageData(title, currentURL string, r *http.Request) EventRuleURL: webAdminEventRulePath, EventActionsURL: webAdminEventActionsPath, EventActionURL: webAdminEventActionPath, + RolesURL: webAdminRolesPath, + RoleURL: webAdminRolePath, QuotaScanURL: webQuotaScanPath, ConnectionsURL: webConnectionsPath, StatusURL: webStatusPath, @@ -596,6 +632,7 @@ func (s *httpdServer) getBasePageData(title, currentURL string, r *http.Request) GroupsTitle: pageGroupsTitle, EventRulesTitle: pageEventRulesTitle, EventActionsTitle: pageEventActionsTitle, + RolesTitle: pageRolesTitle, StatusTitle: pageStatusTitle, MaintenanceTitle: pageMaintenanceTitle, DefenderTitle: pageDefenderTitle, @@ -774,6 +811,10 @@ func (s *httpdServer) renderAddUpdateAdminPage(w http.ResponseWriter, r *http.Re if err != nil { return } + roles, err := s.getWebRoles(w, r, 10, true) + if err != nil { + return + } currentURL := webAdminPath title := "Add a new admin" if !isAdd { @@ -784,6 +825,7 @@ func (s *httpdServer) renderAddUpdateAdminPage(w http.ResponseWriter, r *http.Re basePage: s.getBasePageData(title, currentURL, r), Admin: admin, Groups: groups, + Roles: roles, Error: error, IsAdd: isAdd, } @@ -791,18 +833,7 @@ func (s *httpdServer) renderAddUpdateAdminPage(w http.ResponseWriter, r *http.Re renderAdminTemplate(w, templateAdmin, data) } -func (s *httpdServer) renderUserPage(w http.ResponseWriter, r *http.Request, user *dataprovider.User, - mode userPageMode, error string, admin *dataprovider.Admin, -) { - folders, err := s.getWebVirtualFolders(w, r, defaultQueryLimit, true) - if err != nil { - return - } - groups, err := s.getWebGroups(w, r, defaultQueryLimit, true) - if err != nil { - return - } - user.SetEmptySecretsIfNil() +func (s *httpdServer) getUserPageTitleAndURL(mode userPageMode, username string) (string, string) { var title, currentURL string switch mode { case userPageModeAdd: @@ -810,11 +841,19 @@ func (s *httpdServer) renderUserPage(w http.ResponseWriter, r *http.Request, use currentURL = webUserPath case userPageModeUpdate: title = "Update user" - currentURL = fmt.Sprintf("%v/%v", webUserPath, url.PathEscape(user.Username)) + currentURL = fmt.Sprintf("%v/%v", webUserPath, url.PathEscape(username)) case userPageModeTemplate: title = "User template" currentURL = webTemplateUser } + return title, currentURL +} + +func (s *httpdServer) renderUserPage(w http.ResponseWriter, r *http.Request, user *dataprovider.User, + mode userPageMode, errorString string, admin *dataprovider.Admin, +) { + user.SetEmptySecretsIfNil() + title, currentURL := s.getUserPageTitleAndURL(mode, user.Username) if user.Password != "" && user.IsPasswordHashed() { switch mode { case userPageModeUpdate: @@ -833,10 +872,26 @@ func (s *httpdServer) renderUserPage(w http.ResponseWriter, r *http.Request, use }) } } + var roles []dataprovider.Role + if basePage.LoggedAdmin.Role == "" { + var err error + roles, err = s.getWebRoles(w, r, 10, true) + if err != nil { + return + } + } + folders, err := s.getWebVirtualFolders(w, r, defaultQueryLimit, true) + if err != nil { + return + } + groups, err := s.getWebGroups(w, r, defaultQueryLimit, true) + if err != nil { + return + } data := userPage{ basePage: basePage, Mode: mode, - Error: error, + Error: errorString, User: user, ValidPerms: dataprovider.ValidPerms, ValidLoginMethods: dataprovider.ValidLoginMethods, @@ -846,6 +901,7 @@ func (s *httpdServer) renderUserPage(w http.ResponseWriter, r *http.Request, use RootDirPerms: user.GetPermissionsForPath("/"), VirtualFolders: folders, Groups: groups, + Roles: roles, CanImpersonate: os.Getuid() == 0, FsWrapper: fsWrapper{ Filesystem: user.FsConfig, @@ -859,6 +915,27 @@ func (s *httpdServer) renderUserPage(w http.ResponseWriter, r *http.Request, use renderAdminTemplate(w, templateUser, data) } +func (s *httpdServer) renderRolePage(w http.ResponseWriter, r *http.Request, role dataprovider.Role, + mode genericPageMode, error string, +) { + var title, currentURL string + switch mode { + case genericPageModeAdd: + title = "Add a new role" + currentURL = webAdminRolePath + case genericPageModeUpdate: + title = "Update role" + currentURL = fmt.Sprintf("%s/%s", webAdminRolePath, url.PathEscape(role.Name)) + } + data := rolePage{ + basePage: s.getBasePageData(title, currentURL, r), + Error: error, + Role: &role, + Mode: mode, + } + renderAdminTemplate(w, templateRole, data) +} + func (s *httpdServer) renderGroupPage(w http.ResponseWriter, r *http.Request, group dataprovider.Group, mode genericPageMode, error string, ) { @@ -1577,6 +1654,7 @@ func getAdminFromPostFields(r *http.Request) (dataprovider.Admin, error) { admin.Permissions = r.Form["permissions"] admin.Email = r.Form.Get("email") admin.Status = status + admin.Role = r.Form.Get("role") admin.Filters.AllowList = getSliceFromDelimitedValues(r.Form.Get("allowed_ip"), ",") admin.Filters.AllowAPIKeyAuth = r.Form.Get("allow_api_key_auth") != "" admin.AdditionalInfo = r.Form.Get("additional_info") @@ -1843,6 +1921,7 @@ func getUserFromPostFields(r *http.Request) (dataprovider.User, error) { ExpirationDate: expirationDateMillis, AdditionalInfo: r.Form.Get("additional_info"), Description: r.Form.Get("description"), + Role: r.Form.Get("role"), }, Filters: dataprovider.UserFilters{ BaseUserFilters: filters, @@ -2223,6 +2302,18 @@ func getEventRuleFromPostFields(r *http.Request) (dataprovider.EventRule, error) return rule, nil } +func getRoleFromPostFields(r *http.Request) (dataprovider.Role, error) { + err := r.ParseForm() + if err != nil { + return dataprovider.Role{}, err + } + + return dataprovider.Role{ + Name: r.Form.Get("name"), + Description: r.Form.Get("description"), + }, nil +} + func (s *httpdServer) handleWebAdminForgotPwd(w http.ResponseWriter, r *http.Request) { r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) if !smtp.IsEnabled() { @@ -2515,10 +2606,14 @@ func (s *httpdServer) handleWebUpdateAdminPost(w http.ResponseWriter, r *http.Re s.renderAddUpdateAdminPage(w, r, &updatedAdmin, "You cannot disable yourself", false) return } + if updatedAdmin.Role != claims.Role { + s.renderAddUpdateAdminPage(w, r, &updatedAdmin, "You cannot add/change your role", false) + return + } } err = dataprovider.UpdateAdmin(&updatedAdmin, claims.Username, ipAddr) if err != nil { - s.renderAddUpdateAdminPage(w, r, &admin, err.Error(), false) + s.renderAddUpdateAdminPage(w, r, &updatedAdmin, err.Error(), false) return } http.Redirect(w, r, webAdminsPath, http.StatusSeeOther) @@ -2536,6 +2631,11 @@ func (s *httpdServer) handleWebDefenderPage(w http.ResponseWriter, r *http.Reque func (s *httpdServer) handleGetWebUsers(w http.ResponseWriter, r *http.Request) { r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + claims, err := getTokenClaims(r) + if err != nil || claims.Username == "" { + s.renderBadRequestPage(w, r, errors.New("invalid token claims")) + return + } var limit int if _, ok := r.URL.Query()["qlimit"]; ok { var err error @@ -2548,7 +2648,7 @@ func (s *httpdServer) handleGetWebUsers(w http.ResponseWriter, r *http.Request) } users := make([]dataprovider.User, 0, limit) for { - u, err := dataprovider.GetUsers(limit, len(users), dataprovider.OrderASC) + u, err := dataprovider.GetUsers(limit, len(users), dataprovider.OrderASC, claims.Role) if err != nil { s.renderInternalServerErrorPage(w, r, err) return @@ -2657,7 +2757,7 @@ func (s *httpdServer) handleWebTemplateUserGet(w http.ResponseWriter, r *http.Re } if r.URL.Query().Get("from") != "" { username := r.URL.Query().Get("from") - user, err := dataprovider.UserExists(username) + user, err := dataprovider.UserExists(username, admin.Role) if err == nil { user.SetEmptySecrets() user.PublicKeys = nil @@ -2715,6 +2815,8 @@ func (s *httpdServer) handleWebTemplateUserPost(w http.ResponseWriter, r *http.R http.StatusBadRequest, err, "") return } + // to create a template the "manage_system" permission is required, so role admins cannot use + // this method, we don't need to force the role dump.Users = append(dump.Users, u) for _, folder := range u.VirtualFolders { if !dump.HasFolder(folder.Name) { @@ -2764,8 +2866,13 @@ func (s *httpdServer) handleWebAddUserGet(w http.ResponseWriter, r *http.Request func (s *httpdServer) handleWebUpdateUserGet(w http.ResponseWriter, r *http.Request) { r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + claims, err := getTokenClaims(r) + if err != nil || claims.Username == "" { + s.renderBadRequestPage(w, r, errors.New("invalid token claims")) + return + } username := getURLParam(r, "username") - user, err := dataprovider.UserExists(username) + user, err := dataprovider.UserExists(username, claims.Role) if err == nil { s.renderUserPage(w, r, &user, userPageModeUpdate, "", nil) } else if _, ok := err.(*util.RecordNotFoundError); ok { @@ -2797,6 +2904,13 @@ func (s *httpdServer) handleWebAddUserPost(w http.ResponseWriter, r *http.Reques Password: user.Password, PublicKeys: user.PublicKeys, }) + if claims.Role != "" { + user.Role = claims.Role + } + user.Filters.RecoveryCodes = nil + user.Filters.TOTPConfig = dataprovider.UserTOTPConfig{ + Enabled: false, + } err = dataprovider.AddUser(&user, claims.Username, ipAddr) if err != nil { s.renderUserPage(w, r, &user, userPageModeAdd, err.Error(), nil) @@ -2813,7 +2927,7 @@ func (s *httpdServer) handleWebUpdateUserPost(w http.ResponseWriter, r *http.Req return } username := getURLParam(r, "username") - user, err := dataprovider.UserExists(username) + user, err := dataprovider.UserExists(username, claims.Role) if _, ok := err.(*util.RecordNotFoundError); ok { s.renderNotFoundPage(w, r, err) return @@ -2849,6 +2963,9 @@ func (s *httpdServer) handleWebUpdateUserPost(w http.ResponseWriter, r *http.Req Password: updatedUser.Password, PublicKeys: updatedUser.PublicKeys, }) + if claims.Role != "" { + updatedUser.Role = claims.Role + } err = dataprovider.UpdateUser(&updatedUser, claims.Username, ipAddr) if err != nil { @@ -2877,8 +2994,8 @@ func (s *httpdServer) handleWebGetConnections(w http.ResponseWriter, r *http.Req s.renderBadRequestPage(w, r, errors.New("invalid token claims")) return } - connectionStats := common.Connections.GetStats() - connectionStats = append(connectionStats, getNodesConnections(claims.Username)...) + connectionStats := common.Connections.GetStats(claims.Role) + connectionStats = append(connectionStats, getNodesConnections(claims.Username, claims.Role)...) data := connectionsPage{ basePage: s.getBasePageData(pageConnectionsTitle, webConnectionsPath, r), Connections: connectionStats, @@ -3400,3 +3517,110 @@ func (s *httpdServer) handleWebUpdateEventRulePost(w http.ResponseWriter, r *htt } http.Redirect(w, r, webAdminEventRulesPath, http.StatusSeeOther) } + +func (s *httpdServer) getWebRoles(w http.ResponseWriter, r *http.Request, limit int, minimal bool) ([]dataprovider.Role, error) { + roles := make([]dataprovider.Role, 0, limit) + for { + res, err := dataprovider.GetRoles(limit, len(roles), dataprovider.OrderASC, minimal) + if err != nil { + s.renderInternalServerErrorPage(w, r, err) + return roles, err + } + roles = append(roles, res...) + if len(res) < limit { + break + } + } + return roles, nil +} + +func (s *httpdServer) handleWebGetRoles(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + roles, err := s.getWebRoles(w, r, 10, false) + if err != nil { + return + } + data := rolesPage{ + basePage: s.getBasePageData(pageRolesTitle, webAdminRolesPath, r), + Roles: roles, + } + renderAdminTemplate(w, templateRoles, data) +} + +func (s *httpdServer) handleWebAddRoleGet(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + s.renderRolePage(w, r, dataprovider.Role{}, genericPageModeAdd, "") +} + +func (s *httpdServer) handleWebAddRolePost(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + role, err := getRoleFromPostFields(r) + if err != nil { + s.renderRolePage(w, r, role, genericPageModeAdd, err.Error()) + return + } + claims, err := getTokenClaims(r) + if err != nil || claims.Username == "" { + s.renderBadRequestPage(w, r, errors.New("invalid token claims")) + return + } + ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr) + if err := verifyCSRFToken(r.Form.Get(csrfFormToken), ipAddr); err != nil { + s.renderForbiddenPage(w, r, err.Error()) + return + } + err = dataprovider.AddRole(&role, claims.Username, ipAddr) + if err != nil { + s.renderRolePage(w, r, role, genericPageModeAdd, err.Error()) + return + } + http.Redirect(w, r, webAdminRolesPath, http.StatusSeeOther) +} + +func (s *httpdServer) handleWebUpdateRoleGet(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + role, err := dataprovider.RoleExists(getURLParam(r, "name")) + if err == nil { + s.renderRolePage(w, r, role, genericPageModeUpdate, "") + } else if _, ok := err.(*util.RecordNotFoundError); ok { + s.renderNotFoundPage(w, r, err) + } else { + s.renderInternalServerErrorPage(w, r, err) + } +} + +func (s *httpdServer) handleWebUpdateRolePost(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + claims, err := getTokenClaims(r) + if err != nil || claims.Username == "" { + s.renderBadRequestPage(w, r, errors.New("invalid token claims")) + return + } + role, err := dataprovider.RoleExists(getURLParam(r, "name")) + if _, ok := err.(*util.RecordNotFoundError); ok { + s.renderNotFoundPage(w, r, err) + return + } else if err != nil { + s.renderInternalServerErrorPage(w, r, err) + return + } + + updatedRole, err := getRoleFromPostFields(r) + if err != nil { + s.renderRolePage(w, r, role, genericPageModeAdd, err.Error()) + return + } + ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr) + if err := verifyCSRFToken(r.Form.Get(csrfFormToken), ipAddr); err != nil { + s.renderForbiddenPage(w, r, err.Error()) + return + } + updatedRole.ID = role.ID + updatedRole.Name = role.Name + err = dataprovider.UpdateRole(&updatedRole, claims.Username, ipAddr) + if err != nil { + s.renderRolePage(w, r, updatedRole, genericPageModeUpdate, err.Error()) + return + } + http.Redirect(w, r, webAdminRolesPath, http.StatusSeeOther) +} diff --git a/internal/httpd/webclient.go b/internal/httpd/webclient.go index 56cb5687..7719754f 100644 --- a/internal/httpd/webclient.go +++ b/internal/httpd/webclient.go @@ -472,7 +472,7 @@ func (s *httpdServer) renderClientMFAPage(w http.ResponseWriter, r *http.Request RecCodesURL: webClientRecoveryCodesPath, Protocols: dataprovider.MFAProtocols, } - user, err := dataprovider.UserExists(data.LoggedUser.Username) + user, err := dataprovider.UserExists(data.LoggedUser.Username, "") if err != nil { s.renderInternalServerErrorPage(w, r, err) return @@ -590,7 +590,7 @@ func (s *httpdServer) renderClientProfilePage(w http.ResponseWriter, r *http.Req baseClientPage: s.getBaseClientPageData(pageClientProfileTitle, webClientProfilePath, r), Error: error, } - user, userMerged, err := dataprovider.GetUserVariants(data.LoggedUser.Username) + user, userMerged, err := dataprovider.GetUserVariants(data.LoggedUser.Username, "") if err != nil { s.renderClientInternalServerErrorPage(w, r, err) return @@ -620,7 +620,7 @@ func (s *httpdServer) handleWebClientDownloadZip(w http.ResponseWriter, r *http. return } - user, err := dataprovider.GetUserWithGroupSettings(claims.Username) + user, err := dataprovider.GetUserWithGroupSettings(claims.Username, "") if err != nil { s.renderClientMessagePage(w, r, "Unable to retrieve your user", "", getRespStatus(err), nil, "") return @@ -820,7 +820,7 @@ func (s *httpdServer) handleClientGetDirContents(w http.ResponseWriter, r *http. return } - user, err := dataprovider.GetUserWithGroupSettings(claims.Username) + user, err := dataprovider.GetUserWithGroupSettings(claims.Username, "") if err != nil { sendAPIResponse(w, r, nil, "Unable to retrieve your user", getRespStatus(err)) return @@ -897,7 +897,7 @@ func (s *httpdServer) handleClientGetFiles(w http.ResponseWriter, r *http.Reques return } - user, err := dataprovider.GetUserWithGroupSettings(claims.Username) + user, err := dataprovider.GetUserWithGroupSettings(claims.Username, "") if err != nil { s.renderClientMessagePage(w, r, "Unable to retrieve your user", "", getRespStatus(err), nil, "") return @@ -956,7 +956,7 @@ func (s *httpdServer) handleClientEditFile(w http.ResponseWriter, r *http.Reques return } - user, err := dataprovider.GetUserWithGroupSettings(claims.Username) + user, err := dataprovider.GetUserWithGroupSettings(claims.Username, "") if err != nil { s.renderClientMessagePage(w, r, "Unable to retrieve your user", "", getRespStatus(err), nil, "") return @@ -1025,7 +1025,7 @@ func (s *httpdServer) handleClientAddShareGet(w http.ResponseWriter, r *http.Req s.renderClientForbiddenPage(w, r, "Invalid token claims") return } - user, err := dataprovider.GetUserWithGroupSettings(claims.Username) + user, err := dataprovider.GetUserWithGroupSettings(claims.Username, "") if err != nil { s.renderClientMessagePage(w, r, "Unable to retrieve your user", "", getRespStatus(err), nil, "") return @@ -1218,7 +1218,7 @@ func (s *httpdServer) handleWebClientProfilePost(w http.ResponseWriter, r *http. s.renderClientForbiddenPage(w, r, "Invalid token claims") return } - user, userMerged, err := dataprovider.GetUserVariants(claims.Username) + user, userMerged, err := dataprovider.GetUserVariants(claims.Username, "") if err != nil { s.renderClientProfilePage(w, r, err.Error()) return @@ -1368,7 +1368,7 @@ func (s *httpdServer) handleClientGetPDF(w http.ResponseWriter, r *http.Request) return } name = util.CleanPath(name) - user, err := dataprovider.GetUserWithGroupSettings(claims.Username) + user, err := dataprovider.GetUserWithGroupSettings(claims.Username, "") if err != nil { s.renderClientMessagePage(w, r, "Unable to retrieve your user", "", getRespStatus(err), nil, "") return diff --git a/internal/httpdtest/httpdtest.go b/internal/httpdtest/httpdtest.go index 90513fef..dd5c8aef 100644 --- a/internal/httpdtest/httpdtest.go +++ b/internal/httpdtest/httpdtest.go @@ -62,6 +62,7 @@ const ( retentionChecksPath = "/api/v2/retention/users/checks" eventActionsPath = "/api/v2/eventactions" eventRulesPath = "/api/v2/eventrules" + rolesPath = "/api/v2/roles" ) const ( @@ -368,6 +369,115 @@ func GetGroups(limit, offset int64, expectedStatusCode int) ([]dataprovider.Grou return groups, body, err } +// AddRole adds a new role and checks the received HTTP Status code against expectedStatusCode. +func AddRole(role dataprovider.Role, expectedStatusCode int) (dataprovider.Role, []byte, error) { + var newRole dataprovider.Role + var body []byte + asJSON, _ := json.Marshal(role) + resp, err := sendHTTPRequest(http.MethodPost, buildURLRelativeToBase(rolesPath), bytes.NewBuffer(asJSON), + "application/json", getDefaultToken()) + if err != nil { + return newRole, body, err + } + defer resp.Body.Close() + err = checkResponse(resp.StatusCode, expectedStatusCode) + if expectedStatusCode != http.StatusCreated { + body, _ = getResponseBody(resp) + return newRole, body, err + } + if err == nil { + err = render.DecodeJSON(resp.Body, &newRole) + } else { + body, _ = getResponseBody(resp) + } + if err == nil { + err = checkRole(role, newRole) + } + return newRole, body, err +} + +// UpdateRole updates an existing role and checks the received HTTP Status code against expectedStatusCode +func UpdateRole(role dataprovider.Role, expectedStatusCode int) (dataprovider.Role, []byte, error) { + var newRole dataprovider.Role + var body []byte + + asJSON, _ := json.Marshal(role) + resp, err := sendHTTPRequest(http.MethodPut, buildURLRelativeToBase(rolesPath, url.PathEscape(role.Name)), + bytes.NewBuffer(asJSON), "application/json", getDefaultToken()) + if err != nil { + return newRole, body, err + } + defer resp.Body.Close() + body, _ = getResponseBody(resp) + err = checkResponse(resp.StatusCode, expectedStatusCode) + if expectedStatusCode != http.StatusOK { + return newRole, body, err + } + if err == nil { + newRole, body, err = GetRoleByName(role.Name, expectedStatusCode) + } + if err == nil { + err = checkRole(role, newRole) + } + return newRole, body, err +} + +// RemoveRole removes an existing role and checks the received HTTP Status code against expectedStatusCode. +func RemoveRole(role dataprovider.Role, expectedStatusCode int) ([]byte, error) { + var body []byte + resp, err := sendHTTPRequest(http.MethodDelete, buildURLRelativeToBase(rolesPath, url.PathEscape(role.Name)), + nil, "", getDefaultToken()) + if err != nil { + return body, err + } + defer resp.Body.Close() + body, _ = getResponseBody(resp) + return body, checkResponse(resp.StatusCode, expectedStatusCode) +} + +// GetRoleByName gets a role by name and checks the received HTTP Status code against expectedStatusCode. +func GetRoleByName(name string, expectedStatusCode int) (dataprovider.Role, []byte, error) { + var role dataprovider.Role + var body []byte + resp, err := sendHTTPRequest(http.MethodGet, buildURLRelativeToBase(rolesPath, url.PathEscape(name)), + nil, "", getDefaultToken()) + if err != nil { + return role, body, err + } + defer resp.Body.Close() + err = checkResponse(resp.StatusCode, expectedStatusCode) + if err == nil && expectedStatusCode == http.StatusOK { + err = render.DecodeJSON(resp.Body, &role) + } else { + body, _ = getResponseBody(resp) + } + return role, body, err +} + +// GetRoles returns a list of roles and checks the received HTTP Status code against expectedStatusCode. +// The number of results can be limited specifying a limit. +// Some results can be skipped specifying an offset. +func GetRoles(limit, offset int64, expectedStatusCode int) ([]dataprovider.Role, []byte, error) { + var roles []dataprovider.Role + var body []byte + url, err := addLimitAndOffsetQueryParams(buildURLRelativeToBase(rolesPath), limit, offset) + if err != nil { + return roles, body, err + } + resp, err := sendHTTPRequest(http.MethodGet, url.String(), nil, "", getDefaultToken()) + if err != nil { + return roles, body, err + } + defer resp.Body.Close() + err = checkResponse(resp.StatusCode, expectedStatusCode) + if err == nil && expectedStatusCode == http.StatusOK { + err = render.DecodeJSON(resp.Body, &roles) + } else { + body, _ = getResponseBody(resp) + } + return roles, body, err +} + // AddAdmin adds a new admin and checks the received HTTP Status code against expectedStatusCode. func AddAdmin(admin dataprovider.Admin, expectedStatusCode int) (dataprovider.Admin, []byte, error) { var newAdmin dataprovider.Admin @@ -1503,6 +1613,31 @@ func checkEventRule(expected, actual dataprovider.EventRule) error { return checkEventRuleActions(expected.Actions, actual.Actions) } +func checkRole(expected, actual dataprovider.Role) error { + if expected.ID <= 0 { + if actual.ID <= 0 { + return errors.New("actual role ID must be > 0") + } + } else { + if actual.ID != expected.ID { + return errors.New("role ID mismatch") + } + } + if dataprovider.ConvertName(expected.Name) != actual.Name { + return errors.New("name mismatch") + } + if expected.Description != actual.Description { + return errors.New("description mismatch") + } + if actual.CreatedAt == 0 { + return errors.New("created_at unset") + } + if actual.UpdatedAt == 0 { + return errors.New("updated_at unset") + } + return nil +} + func checkGroup(expected, actual dataprovider.Group) error { if expected.ID <= 0 { if actual.ID <= 0 { @@ -1667,6 +1802,9 @@ func compareAdminEqualFields(expected *dataprovider.Admin, actual *dataprovider. if expected.AdditionalInfo != actual.AdditionalInfo { return errors.New("additional info mismatch") } + if expected.Role != actual.Role { + return errors.New("role mismatch") + } return nil } @@ -2491,6 +2629,9 @@ func compareEqualsUserFields(expected *dataprovider.User, actual *dataprovider.U if expected.Description != actual.Description { return errors.New("description mismatch") } + if expected.Role != actual.Role { + return errors.New("role mismatch") + } return compareQuotaUserFields(expected, actual) } diff --git a/internal/service/service.go b/internal/service/service.go index 051e1b57..41343358 100644 --- a/internal/service/service.go +++ b/internal/service/service.go @@ -350,7 +350,11 @@ func (s *Service) LoadInitialData() error { } func (s *Service) restoreDump(dump *dataprovider.BackupData) error { - err := httpd.RestoreFolders(dump.Folders, s.LoadDataFrom, s.LoadDataMode, s.LoadDataQuotaScan, dataprovider.ActionExecutorSystem, "") + err := httpd.RestoreRoles(dump.Roles, s.LoadDataFrom, s.LoadDataMode, dataprovider.ActionExecutorSystem, "") + if err != nil { + return fmt.Errorf("unable to restore roles from file %#v: %v", s.LoadDataFrom, err) + } + err = httpd.RestoreFolders(dump.Folders, s.LoadDataFrom, s.LoadDataMode, s.LoadDataQuotaScan, dataprovider.ActionExecutorSystem, "") if err != nil { return fmt.Errorf("unable to restore folders from file %#v: %v", s.LoadDataFrom, err) } diff --git a/internal/sftpd/internal_test.go b/internal/sftpd/internal_test.go index 820a7a0d..2ca49bc1 100644 --- a/internal/sftpd/internal_test.go +++ b/internal/sftpd/internal_test.go @@ -2088,7 +2088,7 @@ func TestRecoverer(t *testing.T) { } err = scpCmd.handle() assert.EqualError(t, err, common.ErrGenericFailure.Error()) - assert.Len(t, common.Connections.GetStats(), 0) + assert.Len(t, common.Connections.GetStats(""), 0) } func TestListernerAcceptErrors(t *testing.T) { @@ -2241,7 +2241,7 @@ func TestMaxUserSessions(t *testing.T) { assert.Contains(t, err.Error(), "too many open sessions") } common.Connections.Remove(connection.GetID()) - assert.Len(t, common.Connections.GetStats(), 0) + assert.Len(t, common.Connections.GetStats(""), 0) } func TestCanReadSymlink(t *testing.T) { diff --git a/internal/sftpd/server.go b/internal/sftpd/server.go index e4a65c10..ed65c042 100644 --- a/internal/sftpd/server.go +++ b/internal/sftpd/server.go @@ -237,7 +237,7 @@ func (c *Configuration) getServerConfig() *ssh.ServerConfig { }, NextAuthMethodsCallback: func(conn ssh.ConnMetadata) []string { var nextMethods []string - user, err := dataprovider.GetUserWithGroupSettings(conn.User()) + user, err := dataprovider.GetUserWithGroupSettings(conn.User(), "") if err == nil { nextMethods = user.GetNextAuthMethods(conn.PartialSuccessMethods(), c.PasswordAuthentication) } diff --git a/internal/sftpd/sftpd_test.go b/internal/sftpd/sftpd_test.go index 7d41ae97..3c53df56 100644 --- a/internal/sftpd/sftpd_test.go +++ b/internal/sftpd/sftpd_test.go @@ -985,7 +985,7 @@ func TestDefender(t *testing.T) { _, _, err = getSftpClient(user, usePubKey) assert.Error(t, err) - err = dataprovider.DeleteUser(user.Username, "", "") + err = dataprovider.DeleteUser(user.Username, "", "", "") assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) @@ -1144,7 +1144,7 @@ func TestConcurrency(t *testing.T) { for { servedReqs := closedConns.Load() if servedReqs > 0 { - stats := common.Connections.GetStats() + stats := common.Connections.GetStats("") if len(stats) > maxConns { maxConns = len(stats) } @@ -1178,7 +1178,7 @@ func TestConcurrency(t *testing.T) { }, 1*time.Second, 50*time.Millisecond) assert.Eventually(t, func() bool { - return len(common.Connections.GetStats()) == 0 + return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 50*time.Millisecond) err = os.Remove(testFilePath) @@ -4284,7 +4284,7 @@ func TestMaxConnections(t *testing.T) { err = conn.Close() assert.NoError(t, err) } - err = dataprovider.DeleteUser(user.Username, "", "") + err = dataprovider.DeleteUser(user.Username, "", "", "") assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) @@ -4319,7 +4319,7 @@ func TestMaxPerHostConnections(t *testing.T) { err = conn.Close() assert.NoError(t, err) } - err = dataprovider.DeleteUser(user.Username, "", "") + err = dataprovider.DeleteUser(user.Username, "", "", "") assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) @@ -4603,12 +4603,12 @@ func TestQuotaScan(t *testing.T) { } func TestMultipleQuotaScans(t *testing.T) { - res := common.QuotaScans.AddUserQuotaScan(defaultUsername) + res := common.QuotaScans.AddUserQuotaScan(defaultUsername, "") assert.True(t, res) - res = common.QuotaScans.AddUserQuotaScan(defaultUsername) + res = common.QuotaScans.AddUserQuotaScan(defaultUsername, "") assert.False(t, res, "add quota must fail if another scan is already active") assert.True(t, common.QuotaScans.RemoveUserQuotaScan(defaultUsername)) - activeScans := common.QuotaScans.GetUsersQuotaScans() + activeScans := common.QuotaScans.GetUsersQuotaScans("") assert.Equal(t, 0, len(activeScans)) assert.False(t, common.QuotaScans.RemoveUserQuotaScan(defaultUsername)) } @@ -4866,13 +4866,13 @@ func TestBandwidthAndConnections(t *testing.T) { waitForActiveTransfers(t) time.Sleep(100 * time.Millisecond) - for _, stat := range common.Connections.GetStats() { - common.Connections.Close(stat.ConnectionID) + for _, stat := range common.Connections.GetStats("") { + common.Connections.Close(stat.ConnectionID, "") } err = <-c assert.Error(t, err, "connection closed while uploading: the upload must fail") assert.Eventually(t, func() bool { - return len(common.Connections.GetStats()) == 0 + return len(common.Connections.GetStats("")) == 0 }, 10*time.Second, 200*time.Millisecond) err = os.Remove(testFilePath) assert.NoError(t, err) @@ -7242,7 +7242,7 @@ func TestHashedPasswords(t *testing.T) { user.Password = "" userGetInitial, _, err := httpdtest.UpdateUser(user, http.StatusOK, "") assert.NoError(t, err) - user, err = dataprovider.UserExists(user.Username) + user, err = dataprovider.UserExists(user.Username, "") assert.NoError(t, err) assert.Equal(t, pwd, user.Password) user.Password = clearPwd @@ -7259,7 +7259,7 @@ func TestHashedPasswords(t *testing.T) { conn.Close() } // the password must converted to bcrypt and we should still be able to login - user, err = dataprovider.UserExists(user.Username) + user, err = dataprovider.UserExists(user.Username, "") assert.NoError(t, err) assert.True(t, strings.HasPrefix(user.Password, "$2a$")) // update the user to invalidate the cached password and force a new check @@ -10576,7 +10576,7 @@ func TestSCPErrors(t *testing.T) { time.Sleep(100 * time.Millisecond) err = cmd.Process.Kill() assert.NoError(t, err) - assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, 2*time.Second, 100*time.Millisecond) + assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 2*time.Second, 100*time.Millisecond) cmd = getScpUploadCommand(testFilePath, remoteUpPath, false, false) go func() { err := cmd.Run() @@ -10588,7 +10588,7 @@ func TestSCPErrors(t *testing.T) { time.Sleep(100 * time.Millisecond) err = cmd.Process.Kill() assert.NoError(t, err) - assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, 2*time.Second, 100*time.Millisecond) + assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 2*time.Second, 100*time.Millisecond) err = os.Remove(testFilePath) assert.NoError(t, err) os.Remove(localPath) @@ -11076,7 +11076,7 @@ func computeHashForFile(hasher hash.Hash, path string) (string, error) { func waitForActiveTransfers(t *testing.T) { assert.Eventually(t, func() bool { - for _, stat := range common.Connections.GetStats() { + for _, stat := range common.Connections.GetStats("") { if len(stat.Transfers) > 0 { return true } diff --git a/internal/smtp/smtp.go b/internal/smtp/smtp.go index f99c2b85..61bef9f5 100644 --- a/internal/smtp/smtp.go +++ b/internal/smtp/smtp.go @@ -181,6 +181,7 @@ func SendEmail(to []string, subject, body string, contentType EmailContentType, } email := mail.NewMSG() + email.AllowDuplicateAddress = true if from != "" { email.SetFrom(from) } else { diff --git a/internal/util/util.go b/internal/util/util.go index 7f08be2e..48ac5ebb 100644 --- a/internal/util/util.go +++ b/internal/util/util.go @@ -617,8 +617,8 @@ func GetSSHPublicKeyAsString(pubKey []byte) (string, error) { return string(ssh.MarshalAuthorizedKey(k)), nil } -// GetRealIP returns the ip address as result of parsing either the -// X-Real-IP header or the X-Forwarded-For header +// GetRealIP returns the ip address as result of parsing the specified +// header and using the specified depth func GetRealIP(r *http.Request, header string, depth int) string { if header == "" { return "" diff --git a/internal/version/version.go b/internal/version/version.go index 818575fc..6847f27b 100644 --- a/internal/version/version.go +++ b/internal/version/version.go @@ -17,7 +17,7 @@ package version import "strings" -const version = "2.4.0-dev" +const version = "2.4.1-dev" var ( commit = "" diff --git a/internal/webdavd/internal_test.go b/internal/webdavd/internal_test.go index 9d2de3b4..41ca5a03 100644 --- a/internal/webdavd/internal_test.go +++ b/internal/webdavd/internal_test.go @@ -937,7 +937,7 @@ func TestTransferSeek(t *testing.T) { assert.True(t, fs.IsNotExist(err)) assert.Equal(t, int64(0), res) - assert.Len(t, common.Connections.GetStats(), 0) + assert.Len(t, common.Connections.GetStats(""), 0) err = os.Remove(testFilePath) assert.NoError(t, err) @@ -959,7 +959,7 @@ func TestBasicUsersCache(t *testing.T) { u.Permissions["/"] = []string{dataprovider.PermAny} err := dataprovider.AddUser(&u, "", "") assert.NoError(t, err) - user, err := dataprovider.UserExists(u.Username) + user, err := dataprovider.UserExists(u.Username, "") assert.NoError(t, err) c := &Configuration{ @@ -1054,7 +1054,7 @@ func TestBasicUsersCache(t *testing.T) { _, ok = dataprovider.GetCachedWebDAVUser(username) assert.True(t, ok) // cache is invalidated after user deletion - err = dataprovider.DeleteUser(user.Username, "", "") + err = dataprovider.DeleteUser(user.Username, "", "", "") assert.NoError(t, err) _, ok = dataprovider.GetCachedWebDAVUser(username) assert.False(t, ok) @@ -1090,7 +1090,7 @@ func TestCachedUserWithFolders(t *testing.T) { }) err := dataprovider.AddUser(&u, "", "") assert.NoError(t, err) - user, err := dataprovider.UserExists(u.Username) + user, err := dataprovider.UserExists(u.Username, "") assert.NoError(t, err) c := &Configuration{ @@ -1177,7 +1177,7 @@ func TestCachedUserWithFolders(t *testing.T) { assert.False(t, cachedUser.IsExpired()) } - err = dataprovider.DeleteUser(user.Username, "", "") + err = dataprovider.DeleteUser(user.Username, "", "", "") assert.NoError(t, err) _, ok = dataprovider.GetCachedWebDAVUser(username) assert.False(t, ok) @@ -1205,25 +1205,25 @@ func TestUsersCacheSizeAndExpiration(t *testing.T) { u.Permissions["/"] = []string{dataprovider.PermAny} err := dataprovider.AddUser(&u, "", "") assert.NoError(t, err) - user1, err := dataprovider.UserExists(u.Username) + user1, err := dataprovider.UserExists(u.Username, "") assert.NoError(t, err) u.Username = username + "2" u.Password = password + "2" err = dataprovider.AddUser(&u, "", "") assert.NoError(t, err) - user2, err := dataprovider.UserExists(u.Username) + user2, err := dataprovider.UserExists(u.Username, "") assert.NoError(t, err) u.Username = username + "3" u.Password = password + "3" err = dataprovider.AddUser(&u, "", "") assert.NoError(t, err) - user3, err := dataprovider.UserExists(u.Username) + user3, err := dataprovider.UserExists(u.Username, "") assert.NoError(t, err) u.Username = username + "4" u.Password = password + "4" err = dataprovider.AddUser(&u, "", "") assert.NoError(t, err) - user4, err := dataprovider.UserExists(u.Username) + user4, err := dataprovider.UserExists(u.Username, "") assert.NoError(t, err) c := &Configuration{ @@ -1385,13 +1385,13 @@ func TestUsersCacheSizeAndExpiration(t *testing.T) { _, ok = dataprovider.GetCachedWebDAVUser(user4.Username) assert.True(t, ok) - err = dataprovider.DeleteUser(user1.Username, "", "") + err = dataprovider.DeleteUser(user1.Username, "", "", "") assert.NoError(t, err) - err = dataprovider.DeleteUser(user2.Username, "", "") + err = dataprovider.DeleteUser(user2.Username, "", "", "") assert.NoError(t, err) - err = dataprovider.DeleteUser(user3.Username, "", "") + err = dataprovider.DeleteUser(user3.Username, "", "", "") assert.NoError(t, err) - err = dataprovider.DeleteUser(user4.Username, "", "") + err = dataprovider.DeleteUser(user4.Username, "", "", "") assert.NoError(t, err) err = os.RemoveAll(u.GetHomeDir()) @@ -1415,7 +1415,7 @@ func TestUserCacheIsolation(t *testing.T) { u.Permissions["/"] = []string{dataprovider.PermAny} err := dataprovider.AddUser(&u, "", "") assert.NoError(t, err) - user, err := dataprovider.UserExists(u.Username) + user, err := dataprovider.UserExists(u.Username, "") assert.NoError(t, err) cachedUser := &dataprovider.CachedUser{ User: user, @@ -1449,7 +1449,7 @@ func TestUserCacheIsolation(t *testing.T) { assert.False(t, cachedUser.User.FsConfig.S3Config.AccessSecret.IsEncrypted()) } - err = dataprovider.DeleteUser(username, "", "") + err = dataprovider.DeleteUser(username, "", "", "") assert.NoError(t, err) _, ok = dataprovider.GetCachedWebDAVUser(username) assert.False(t, ok) diff --git a/internal/webdavd/webdavd_test.go b/internal/webdavd/webdavd_test.go index 278a6ef8..d8890d29 100644 --- a/internal/webdavd/webdavd_test.go +++ b/internal/webdavd/webdavd_test.go @@ -620,7 +620,7 @@ func TestBasicHandling(t *testing.T) { assert.NoError(t, err) err = os.RemoveAll(localUser.GetHomeDir()) assert.NoError(t, err) - assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, + assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 100*time.Millisecond) status := webdavd.GetStatus() assert.True(t, status.IsActive) @@ -702,7 +702,7 @@ func TestBasicHandlingCryptFs(t *testing.T) { assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) - assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, + assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 100*time.Millisecond) } @@ -929,7 +929,7 @@ func TestPropPatch(t *testing.T) { assert.NoError(t, err) err = os.RemoveAll(localUser.GetHomeDir()) assert.NoError(t, err) - assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, + assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 100*time.Millisecond) } @@ -1311,7 +1311,7 @@ func TestPreDownloadHook(t *testing.T) { assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) - assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, + assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 100*time.Millisecond) common.Config.Actions.ExecuteOn = []string{common.OperationPreDownload} @@ -1361,7 +1361,7 @@ func TestPreUploadHook(t *testing.T) { assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) - assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, + assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 100*time.Millisecond) common.Config.Actions.ExecuteOn = oldExecuteOn @@ -1424,7 +1424,7 @@ func TestMaxConnections(t *testing.T) { assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) - assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, + assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 100*time.Millisecond) common.Config.MaxTotalConnections = oldValue @@ -1456,7 +1456,7 @@ func TestMaxPerHostConnections(t *testing.T) { assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) - assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, + assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 100*time.Millisecond) common.Config.MaxPerHostConnections = oldValue @@ -1482,7 +1482,7 @@ func TestMaxSessions(t *testing.T) { assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) assert.NoError(t, err) - assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, + assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 100*time.Millisecond) } @@ -1894,7 +1894,7 @@ func TestClientClose(t *testing.T) { }() assert.Eventually(t, func() bool { - for _, stat := range common.Connections.GetStats() { + for _, stat := range common.Connections.GetStats("") { if len(stat.Transfers) > 0 { return true } @@ -1902,16 +1902,16 @@ func TestClientClose(t *testing.T) { return false }, 1*time.Second, 50*time.Millisecond) - for _, stat := range common.Connections.GetStats() { - common.Connections.Close(stat.ConnectionID) + for _, stat := range common.Connections.GetStats("") { + common.Connections.Close(stat.ConnectionID, "") } wg.Wait() // for the sftp user a stat is done after the failed upload and // this triggers a new connection - for _, stat := range common.Connections.GetStats() { - common.Connections.Close(stat.ConnectionID) + for _, stat := range common.Connections.GetStats("") { + common.Connections.Close(stat.ConnectionID, "") } - assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, + assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 100*time.Millisecond) err = os.Remove(testFilePath) @@ -1929,7 +1929,7 @@ func TestClientClose(t *testing.T) { }() assert.Eventually(t, func() bool { - for _, stat := range common.Connections.GetStats() { + for _, stat := range common.Connections.GetStats("") { if len(stat.Transfers) > 0 { return true } @@ -1937,11 +1937,11 @@ func TestClientClose(t *testing.T) { return false }, 1*time.Second, 50*time.Millisecond) - for _, stat := range common.Connections.GetStats() { - common.Connections.Close(stat.ConnectionID) + for _, stat := range common.Connections.GetStats("") { + common.Connections.Close(stat.ConnectionID, "") } wg.Wait() - assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, + assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 100*time.Millisecond) err = os.Remove(localDownloadPath) @@ -2964,7 +2964,7 @@ func TestNestedVirtualFolders(t *testing.T) { assert.NoError(t, err) err = os.RemoveAll(localUser.GetHomeDir()) assert.NoError(t, err) - assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, + assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 100*time.Millisecond) } diff --git a/openapi/openapi.yaml b/openapi/openapi.yaml index 81e7605c..72b85e87 100644 --- a/openapi/openapi.yaml +++ b/openapi/openapi.yaml @@ -10,6 +10,7 @@ tags: - name: quota - name: folders - name: groups + - name: roles - name: users - name: data retention - name: events @@ -27,7 +28,7 @@ info: SFTPGo supports groups to simplify the administration of multiple accounts by letting you assign settings once to a group, instead of multiple times to each individual user. The SFTPGo WebClient allows end users to change their credentials, browse and manage their files in the browser and setup two-factor authentication which works with Authy, Google Authenticator and other compatible apps. From the WebClient each authorized user can also create HTTP/S links to externally share files and folders securely, by setting limits to the number of downloads/uploads, protecting the share with a password, limiting access by source IP address, setting an automatic expiration date. - version: 2.4.0-dev + version: 2.4.1-dev contact: name: API support url: 'https://github.com/drakkan/sftpgo' @@ -1666,6 +1667,181 @@ paths: $ref: '#/components/responses/InternalServerError' default: $ref: '#/components/responses/DefaultResponse' + /roles: + get: + tags: + - roles + summary: Get roles + description: Returns an array with one or more roles + operationId: get_roles + parameters: + - in: query + name: offset + schema: + type: integer + minimum: 0 + default: 0 + required: false + - in: query + name: limit + schema: + type: integer + minimum: 1 + maximum: 500 + default: 100 + required: false + description: 'The maximum number of items to return. Max value is 500, default is 100' + - in: query + name: order + required: false + description: Ordering groups by name. Default ASC + schema: + type: string + enum: + - ASC + - DESC + example: ASC + responses: + '200': + description: successful operation + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/Role' + '400': + $ref: '#/components/responses/BadRequest' + '401': + $ref: '#/components/responses/Unauthorized' + '403': + $ref: '#/components/responses/Forbidden' + '500': + $ref: '#/components/responses/InternalServerError' + default: + $ref: '#/components/responses/DefaultResponse' + post: + tags: + - roles + summary: Add role + operationId: add_role + description: Adds a new role + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/Role' + responses: + '201': + description: successful operation + content: + application/json: + schema: + $ref: '#/components/schemas/Role' + '400': + $ref: '#/components/responses/BadRequest' + '401': + $ref: '#/components/responses/Unauthorized' + '403': + $ref: '#/components/responses/Forbidden' + '500': + $ref: '#/components/responses/InternalServerError' + default: + $ref: '#/components/responses/DefaultResponse' + '/roles/{name}': + parameters: + - name: name + in: path + description: role name + required: true + schema: + type: string + get: + tags: + - roles + summary: Find roles by name + description: Returns the role with the given name if it exists. + operationId: get_role_by_name + responses: + '200': + description: successful operation + content: + application/json: + schema: + $ref: '#/components/schemas/Role' + '400': + $ref: '#/components/responses/BadRequest' + '401': + $ref: '#/components/responses/Unauthorized' + '403': + $ref: '#/components/responses/Forbidden' + '404': + $ref: '#/components/responses/NotFound' + '500': + $ref: '#/components/responses/InternalServerError' + default: + $ref: '#/components/responses/DefaultResponse' + put: + tags: + - roles + summary: Update role + description: Updates an existing role + operationId: update_role + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/Role' + responses: + '200': + description: successful operation + content: + application/json: + schema: + $ref: '#/components/schemas/ApiResponse' + example: + message: Group updated + '400': + $ref: '#/components/responses/BadRequest' + '401': + $ref: '#/components/responses/Unauthorized' + '403': + $ref: '#/components/responses/Forbidden' + '404': + $ref: '#/components/responses/NotFound' + '500': + $ref: '#/components/responses/InternalServerError' + default: + $ref: '#/components/responses/DefaultResponse' + delete: + tags: + - roles + summary: Delete role + description: Deletes an existing role + operationId: delete_role + responses: + '200': + description: successful operation + content: + application/json: + schema: + $ref: '#/components/schemas/ApiResponse' + example: + message: Group deleted + '400': + $ref: '#/components/responses/BadRequest' + '401': + $ref: '#/components/responses/Unauthorized' + '403': + $ref: '#/components/responses/Forbidden' + '404': + $ref: '#/components/responses/NotFound' + '500': + $ref: '#/components/responses/InternalServerError' + default: + $ref: '#/components/responses/DefaultResponse' /eventactions: get: tags: @@ -4269,6 +4445,7 @@ components: - close_conns - view_status - manage_admins + - manage_groups - manage_apikeys - quota_scans - manage_system @@ -4278,6 +4455,7 @@ components: - metadata_checks - view_events - manage_event_rules + - manager_roles description: | Admin permissions: * `*` - all permissions are granted @@ -4289,6 +4467,7 @@ components: * `close_conns` - close active connections is allowed * `view_status` - view the server status is allowed * `manage_admins` - manage other admins is allowed + * `manage_groups` - manage groups is allowed * `manage_apikeys` - manage API keys is allowed * `quota_scans` - view and start quota scans is allowed * `manage_system` - backups and restores are allowed @@ -4298,6 +4477,7 @@ components: * `metadata_checks` - view and start metadata checks is allowed * `view_events` - view and search filesystem and provider events is allowed * `manage_event_rules` - manage event actions and rules is allowed + * `manager_roles` - manage roles is allowed FsProviders: type: integer enum: @@ -4538,6 +4718,7 @@ components: - share - event_action - event_rule + - role SSHAuthentications: type: string enum: @@ -5211,6 +5392,8 @@ components: type: object additionalProperties: true description: 'This field is passed to the pre-login hook if custom OIDC token fields have been configured. Field values can be of any type (this is a free form object) and depend on the type of the configured OIDC token fields' + role: + type: string AdminPreferences: type: object properties: @@ -5297,6 +5480,9 @@ components: type: integer format: int64 description: Last user login as unix timestamp in milliseconds. It is saved at most once every 10 minutes + role: + type: string + description: 'If set the admin can only administer users with the same role. Role admins cannot have the following permissions: "manage_admins", "manage_apikeys", "manage_system", "manage_event_rules", "manage_roles", "view_events"' AdminProfile: type: object properties: @@ -5840,6 +6026,37 @@ components: description: 'Maximum total data transfer as MB' filters: $ref: '#/components/schemas/BaseUserFilters' + Role: + type: object + properties: + id: + type: integer + format: int32 + minimum: 1 + name: + type: string + description: name is unique + description: + type: string + description: 'optional description' + created_at: + type: integer + format: int64 + description: creation time as unix timestamp in milliseconds + updated_at: + type: integer + format: int64 + description: last update time as unix timestamp in milliseconds + users: + type: array + items: + type: string + description: list of usernames associated with this group + admins: + type: array + items: + type: string + description: list of admins usernames associated with this group Group: type: object properties: @@ -5942,6 +6159,18 @@ components: type: array items: $ref: '#/components/schemas/Share' + event_actions: + type: array + items: + $ref: '#/components/schemas/EventAction' + event_rules: + type: array + items: + $ref: '#/components/schemas/EventRule' + roles: + type: array + items: + $ref: '#/components/schemas/Role' version: type: integer PwdChange: diff --git a/pkgs/build.sh b/pkgs/build.sh index 71c40370..a687654c 100755 --- a/pkgs/build.sh +++ b/pkgs/build.sh @@ -1,6 +1,6 @@ #!/bin/bash -NFPM_VERSION=2.21.0 +NFPM_VERSION=2.22.0 NFPM_ARCH=${NFPM_ARCH:-amd64} if [ -z ${SFTPGO_VERSION} ] then diff --git a/pkgs/choco/sftpgo.nuspec b/pkgs/choco/sftpgo.nuspec index ec5bcbfa..00952560 100644 --- a/pkgs/choco/sftpgo.nuspec +++ b/pkgs/choco/sftpgo.nuspec @@ -3,17 +3,17 @@ sftpgo - 2.4.0 + 2.4.1 https://github.com/drakkan/sftpgo/tree/main/pkgs/choco asheroto SFTPGo Nicola Murino https://github.com/drakkan/sftpgo - https://cdn.statically.io/gh/drakkan/sftpgo/v2.4.0/static/img/logo.png + https://cdn.statically.io/gh/drakkan/sftpgo/v2.4.1/static/img/logo.png https://github.com/drakkan/sftpgo/blob/main/LICENSE false https://github.com/drakkan/sftpgo - https://github.com/drakkan/sftpgo/tree/v2.4.0/docs + https://github.com/drakkan/sftpgo/tree/v2.4.1/docs https://github.com/drakkan/sftpgo/issues sftp sftp-server ftp webdav s3 azure-blob google-cloud-storage cloud-storage scp data-at-rest-encryption multi-factor-authentication multi-step-authentication Fully featured and highly configurable SFTP server with optional HTTP/S,FTP/S and WebDAV support. @@ -32,7 +32,7 @@ You can find more info [here](https://github.com/drakkan/sftpgo). * This package installs SFTPGo as Windows Service. * After the first installation please take a look at the [Getting Started Guide](https://github.com/drakkan/sftpgo/blob/main/docs/howto/getting-started.md). - https://github.com/drakkan/sftpgo/releases/tag/v2.4.0 + https://github.com/drakkan/sftpgo/releases/tag/v2.4.1 diff --git a/pkgs/choco/tools/ChocolateyInstall.ps1 b/pkgs/choco/tools/ChocolateyInstall.ps1 index 31ad1a0f..c678e6fb 100644 --- a/pkgs/choco/tools/ChocolateyInstall.ps1 +++ b/pkgs/choco/tools/ChocolateyInstall.ps1 @@ -1,8 +1,8 @@ $ErrorActionPreference = 'Stop' $packageName = 'sftpgo' $softwareName = 'SFTPGo' -$url = 'https://github.com/drakkan/sftpgo/releases/download/v2.4.0/sftpgo_v2.4.0_windows_x86_64.exe' -$checksum = 'D8503BF3C5F606C3445D1286C8C5CA54476EC751E2CE0D4EAAE5EB4903C09412' +$url = 'https://github.com/drakkan/sftpgo/releases/download/v2.4.1/sftpgo_v2.4.1_windows_x86_64.exe' +$checksum = 'AC199E8DE1F90ACE0B310FA2DEB4D84F5A8E1D592CB11F8C79DA3F4C9AC8517E' $silentArgs = '/VERYSILENT' $validExitCodes = @(0) @@ -47,8 +47,8 @@ Write-Output "" Write-Output "General information (README) location:" Write-Output "`thttps://github.com/drakkan/sftpgo" Write-Output "Getting started guide location:" -Write-Output "`thttps://github.com/drakkan/sftpgo/blob/v2.4.0/docs/howto/getting-started.md" +Write-Output "`thttps://github.com/drakkan/sftpgo/blob/v2.4.1/docs/howto/getting-started.md" Write-Output "Detailed information (docs folder) location:" -Write-Output "`thttps://github.com/drakkan/sftpgo/tree/v2.4.0/docs" +Write-Output "`thttps://github.com/drakkan/sftpgo/tree/v2.4.1/docs" Write-Output "" Write-Output "---------------------------" \ No newline at end of file diff --git a/pkgs/debian/changelog b/pkgs/debian/changelog index 34af6fc4..8d7b87b1 100644 --- a/pkgs/debian/changelog +++ b/pkgs/debian/changelog @@ -1,3 +1,9 @@ +sftpgo (2.4.1-1ppa1) bionic; urgency=medium + + * New upstream release + + -- Nicola Murino Sun, 13 Nov 2022 07:34:04 +0100 + sftpgo (2.4.0-1ppa1) bionic; urgency=medium * New upstream release diff --git a/templates/webadmin/admin.html b/templates/webadmin/admin.html index a532584a..828e203e 100644 --- a/templates/webadmin/admin.html +++ b/templates/webadmin/admin.html @@ -96,6 +96,26 @@ along with this program. If not, see . +
+
+ Role +
+
+
Setting a role limit the administrator to only manage users with the same role. Role administrators cannot have the following permissions: "manage_admins", "manage_roles", "manage_event_rules", "manage_apikeys", "manage_system"
+
+ +
+ +
+
+
+
+
Groups for users diff --git a/templates/webadmin/admins.html b/templates/webadmin/admins.html index 7a09a9cd..6d2e4183 100644 --- a/templates/webadmin/admins.html +++ b/templates/webadmin/admins.html @@ -55,6 +55,7 @@ along with this program. If not, see . Email Description Groups for users + Role @@ -70,6 +71,7 @@ along with this program. If not, see . {{.Email}} {{.Description}} {{.GetGroupsAsString}} + {{.Role}} {{end}} @@ -233,7 +235,7 @@ along with this program. If not, see . "visible": false, }, { - "targets": [5,7,8], + "targets": [5,7,8,10], "visible": false, }, { diff --git a/templates/webadmin/base.html b/templates/webadmin/base.html index 5922c48d..18dcec16 100644 --- a/templates/webadmin/base.html +++ b/templates/webadmin/base.html @@ -121,6 +121,14 @@ along with this program. If not, see . {{end}} + {{ if .LoggedAdmin.HasPermission "manage_roles"}} + + {{end}} + {{ if .LoggedAdmin.HasPermission "manage_admins"}}
{{end}} + {{if .Roles}} +
+ +
+ + + Users with a role can be managed by global administrators and administrators with the same role + +
+
+ {{end}} + {{if ne .Mode 3}}
diff --git a/templates/webadmin/users.html b/templates/webadmin/users.html index 3559e50d..082c4498 100644 --- a/templates/webadmin/users.html +++ b/templates/webadmin/users.html @@ -56,6 +56,7 @@ along with this program. If not, see . MFA Bandwidth Quota + Role Other @@ -74,6 +75,7 @@ along with this program. If not, see . {{.GetMFAStatusAsString}} {{.GetBandwidthAsString}} {{.GetQuotaSummary}} + {{.Role}} {{.GetInfoString}} {{.GetLastQuotaUpdateAsString}} @@ -281,7 +283,7 @@ along with this program. If not, see . ], "columnDefs": [ { - "targets": [0,12], + "targets": [0,13], "visible": false, "searchable": false, "className": "noVis" @@ -295,7 +297,7 @@ along with this program. If not, see . "render": $.fn.dataTable.render.datetime() }, { - "targets": [4,5,8], + "targets": [4,5,8,11], "visible": false }, { @@ -325,7 +327,7 @@ along with this program. If not, see . } }, { - "targets": [11], + "targets": [12], "visible": false, "render": $.fn.dataTable.render.ellipsis(100, true) } @@ -349,7 +351,7 @@ along with this program. If not, see . table.button().add(0,'delete'); {{end}} - {{if .LoggedAdmin.HasPermission "add_users"}} + {{if .LoggedAdmin.HasPermission "manage_system"}} table.button().add(0,'template'); {{end}}