beenull/sftpgo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

validate API key scope

Browse source 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino 2023-09-08 18:54:11 +02:00
parent 1cbaa7c77b
commit aefcea034a
No known key found for this signature in database
GPG key ID: 935D2952DEC4EECF
2 changed files with 23 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
internal/httpd/httpd_test.go
View file

@ -15008,6 +15008,13 @@ func TestUserAPIKey(t *testing.T) {
apiKey, _, err = httpdtest.AddAPIKey(apiKey, http.StatusCreated)
assert.NoError(t, err)
adminAPIKey := dataprovider.APIKey{
Name: "testadminkey",
Scope: dataprovider.APIKeyScopeAdmin,
}
adminAPIKey, _, err = httpdtest.AddAPIKey(adminAPIKey, http.StatusCreated)
assert.NoError(t, err)
body := new(bytes.Buffer)
writer := multipart.NewWriter(body)
part, err := writer.CreateFormFile("filenames", "filenametest")
@ -15036,6 +15043,12 @@ func TestUserAPIKey(t *testing.T) {
assert.NoError(t, err)
assert.Len(t, dirEntries, 1)
req, err = http.NewRequest(http.MethodGet, userDirsPath, nil)
assert.NoError(t, err)
setAPIKeyForReq(req, adminAPIKey.Key, user.Username)
rr = executeRequest(req)
checkResponseCode(t, http.StatusForbidden, rr)
user.Status = 0
user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "")
assert.NoError(t, err)
@ -15112,6 +15125,9 @@ func TestUserAPIKey(t *testing.T) {
_, err = httpdtest.RemoveAPIKey(apiKeyNew, http.StatusOK)
assert.NoError(t, err)
_, err = httpdtest.RemoveAPIKey(adminAPIKey, http.StatusOK)
assert.NoError(t, err)
}
func TestWebClientViewPDF(t *testing.T) {

7
internal/httpd/middleware.go
View file

@ -384,6 +384,13 @@ func checkAPIKeyAuth(tokenAuth *jwtauth.JWTAuth, scope dataprovider.APIKeyScope)
sendAPIResponse(w, r, errors.New("the provided api key is not valid"), "", http.StatusBadRequest)
return
}
if k.Scope != scope {
handleDefenderEventLoginFailed(util.GetIPFromRemoteAddress(r.RemoteAddr), dataprovider.ErrInvalidCredentials) //nolint:errcheck
logger.Debug(logSender, "", "unable to authenticate api key %q: invalid scope: got %d, wnated: %d",
apiKey, k.Scope, scope)
sendAPIResponse(w, r, fmt.Errorf("the provided api key is invalid for this request"), "", http.StatusForbidden)
return
}
if err := k.Authenticate(key); err != nil {
handleDefenderEventLoginFailed(util.GetIPFromRemoteAddress(r.RemoteAddr), dataprovider.ErrInvalidCredentials) //nolint:errcheck
logger.Debug(logSender, "", "unable to authenticate api key %q: %v", apiKey, err)