From cacfffc5bfd876d8a8d211e8837b0421387a0642 Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Tue, 12 Apr 2022 19:31:25 +0200 Subject: [PATCH] OIDC: add support for custom fields These fields can be used in the pre-login hook to implement custom logics Fixes #787 Signed-off-by: Nicola Murino --- README.md | 8 ++---- config/config.go | 7 +++++ config/config_test.go | 5 ++++ dataprovider/dataprovider.go | 28 ++++++++++---------- docs/full-configuration.md | 1 + docs/oidc.md | 29 ++++++++++++++++++++- go.mod | 20 +++++++-------- go.sum | 28 +++++++++++--------- httpd/httpd_test.go | 4 +++ httpd/oidc.go | 50 ++++++++++++++++++++++++------------ httpd/oidc_test.go | 5 ++-- openapi/openapi.yaml | 4 +++ sftpgo.json | 3 ++- vfs/cryptfs.go | 12 ++++++--- vfs/osfs.go | 13 ++++++++-- 15 files changed, 150 insertions(+), 67 deletions(-) diff --git a/README.md b/README.md index 12f2cf74..22e35458 100644 --- a/README.md +++ b/README.md @@ -61,7 +61,7 @@ Several storage backends are supported: local filesystem, encrypted local filesy ## Platforms -SFTPGo is developed and tested on Linux. After each commit, the code is automatically built and tested on Linux, macOS and Windows using a [GitHub Action](./.github/workflows/development.yml). The test cases are regularly manually executed and passed on FreeBSD. Other *BSD variants should work too. +SFTPGo is developed and tested on Linux. After each commit, the code is automatically built and tested on Linux, macOS and Windows using [GitHub Actions](./.github/workflows/development.yml). The test cases are regularly manually executed and passed on FreeBSD. Other *BSD variants should work too. ## Requirements @@ -91,7 +91,7 @@ An official Docker image is available. Documentation is [here](./docker/README.m SFTPGo is also available on [AWS Marketplace](https://aws.amazon.com/marketplace/seller-profile?id=6e849ab8-70a6-47de-9a43-13c3fa849335) and [Azure Marketplace](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/prasselsrl1645470739547.sftpgo_linux), purchasing from there will help keep SFTPGo a long-term sustainable project. -
On Windows you can use +
Windows packages - The Windows installer to install and run SFTPGo as a Windows service. - The portable package to start SFTPGo on demand. @@ -177,8 +177,6 @@ Loading data from a provider independent JSON dump is supported from the previou ## Downgrading -
- If for some reason you want to downgrade SFTPGo, you may need to downgrade your data provider schema and data as well. You can use the `revertprovider` command for this task. As for upgrading, SFTPGo supports downgrading from the previous release branch to the current one. @@ -199,8 +197,6 @@ The `revertprovider` command is not supported for the memory provider. Please note that we only support the current release branch and the current main branch, if you find a bug it is better to report it rather than downgrading to an older unsupported version. -
- ## Users and folders management After starting SFTPGo you can manage users and folders using: diff --git a/config/config.go b/config/config.go index 1df2262e..de901ae7 100644 --- a/config/config.go +++ b/config/config.go @@ -92,6 +92,7 @@ var ( RedirectBaseURL: "", UsernameField: "", RoleField: "", + CustomFields: []string{}, }, Security: httpd.SecurityConf{ Enabled: false, @@ -1283,6 +1284,12 @@ func getHTTPDOIDCFromEnv(idx int) (httpd.OIDC, bool) { isSet = true } + customFields, ok := lookupStringListFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__OIDC__CUSTOM_FIELDS", idx)) + if ok { + result.CustomFields = customFields + isSet = true + } + return result, isSet } diff --git a/config/config_test.go b/config/config_test.go index 633529c4..390c07ef 100644 --- a/config/config_test.go +++ b/config/config_test.go @@ -850,6 +850,7 @@ func TestHTTPDBindingsFromEnv(t *testing.T) { os.Setenv("SFTPGO_HTTPD__BINDINGS__2__OIDC__REDIRECT_BASE_URL", "redirect base url") os.Setenv("SFTPGO_HTTPD__BINDINGS__2__OIDC__USERNAME_FIELD", "preferred_username") os.Setenv("SFTPGO_HTTPD__BINDINGS__2__OIDC__ROLE_FIELD", "sftpgo_role") + os.Setenv("SFTPGO_HTTPD__BINDINGS__2__OIDC__CUSTOM_FIELDS", "field1,field2") os.Setenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__ENABLED", "true") os.Setenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__ALLOWED_HOSTS", "*.example.com,*.example.net") os.Setenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__ALLOWED_HOSTS_ARE_REGEX", "1") @@ -898,6 +899,7 @@ func TestHTTPDBindingsFromEnv(t *testing.T) { os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__OIDC__REDIRECT_BASE_URL") os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__OIDC__USERNAME_FIELD") os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__OIDC__ROLE_FIELD") + os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__OIDC__CUSTOM_FIELDS") os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__ENABLED") os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__ALLOWED_HOSTS") os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__ALLOWED_HOSTS_ARE_REGEX") @@ -972,6 +974,9 @@ func TestHTTPDBindingsFromEnv(t *testing.T) { require.Equal(t, "redirect base url", bindings[2].OIDC.RedirectBaseURL) require.Equal(t, "preferred_username", bindings[2].OIDC.UsernameField) require.Equal(t, "sftpgo_role", bindings[2].OIDC.RoleField) + require.Len(t, bindings[2].OIDC.CustomFields, 2) + require.Equal(t, "field1", bindings[2].OIDC.CustomFields[0]) + require.Equal(t, "field2", bindings[2].OIDC.CustomFields[1]) require.True(t, bindings[2].Security.Enabled) require.Len(t, bindings[2].Security.AllowedHosts, 2) require.Equal(t, "*.example.com", bindings[2].Security.AllowedHosts[0]) diff --git a/dataprovider/dataprovider.go b/dataprovider/dataprovider.go index 6b1898ac..8cdb18d7 100644 --- a/dataprovider/dataprovider.go +++ b/dataprovider/dataprovider.go @@ -977,7 +977,7 @@ func CheckCompositeCredentials(username, password, ip, loginMethod, protocol str } else if config.ExternalAuthHook != "" && (config.ExternalAuthScope == 0 || config.ExternalAuthScope&1 != 0) { user, err = doExternalAuth(username, password, nil, "", ip, protocol, nil) } else if config.PreLoginHook != "" { - user, err = executePreLoginHook(username, LoginMethodPassword, ip, protocol) + user, err = executePreLoginHook(username, LoginMethodPassword, ip, protocol, nil) } if err != nil { return user, loginMethod, err @@ -997,7 +997,7 @@ func CheckUserBeforeTLSAuth(username, ip, protocol string, tlsCert *x509.Certifi return doExternalAuth(username, "", nil, "", ip, protocol, tlsCert) } if config.PreLoginHook != "" { - return executePreLoginHook(username, LoginMethodTLSCertificate, ip, protocol) + return executePreLoginHook(username, LoginMethodTLSCertificate, ip, protocol, nil) } return UserExists(username) } @@ -1021,7 +1021,7 @@ func CheckUserAndTLSCert(username, ip, protocol string, tlsCert *x509.Certificat return checkUserAndTLSCertificate(&user, protocol, tlsCert) } if config.PreLoginHook != "" { - user, err := executePreLoginHook(username, LoginMethodTLSCertificate, ip, protocol) + user, err := executePreLoginHook(username, LoginMethodTLSCertificate, ip, protocol, nil) if err != nil { return user, err } @@ -1048,7 +1048,7 @@ func CheckUserAndPass(username, password, ip, protocol string) (User, error) { return checkUserAndPass(&user, password, ip, protocol) } if config.PreLoginHook != "" { - user, err := executePreLoginHook(username, LoginMethodPassword, ip, protocol) + user, err := executePreLoginHook(username, LoginMethodPassword, ip, protocol, nil) if err != nil { return user, err } @@ -1075,7 +1075,7 @@ func CheckUserAndPubKey(username string, pubKey []byte, ip, protocol string, isS return checkUserAndPubKey(&user, pubKey, isSSHCert) } if config.PreLoginHook != "" { - user, err := executePreLoginHook(username, SSHLoginMethodPublicKey, ip, protocol) + user, err := executePreLoginHook(username, SSHLoginMethodPublicKey, ip, protocol, nil) if err != nil { return user, "", err } @@ -1095,7 +1095,7 @@ func CheckKeyboardInteractiveAuth(username, authHook string, client ssh.Keyboard } else if config.ExternalAuthHook != "" && (config.ExternalAuthScope == 0 || config.ExternalAuthScope&4 != 0) { user, err = doExternalAuth(username, "", nil, "1", ip, protocol, nil) } else if config.PreLoginHook != "" { - user, err = executePreLoginHook(username, SSHLoginMethodKeyboardInteractive, ip, protocol) + user, err = executePreLoginHook(username, SSHLoginMethodKeyboardInteractive, ip, protocol, nil) } else { user, err = provider.userExists(username) } @@ -1109,9 +1109,9 @@ func CheckKeyboardInteractiveAuth(username, authHook string, client ssh.Keyboard // after a successful authentication with an external identity provider. // If a pre-login hook is defined it will be executed so the SFTPGo user // can be created if it does not exist -func GetUserAfterIDPAuth(username, ip, protocol string) (User, error) { +func GetUserAfterIDPAuth(username, ip, protocol string, oidcTokenFields *map[string]interface{}) (User, error) { if config.PreLoginHook != "" { - return executePreLoginHook(username, LoginMethodIDP, ip, protocol) + return executePreLoginHook(username, LoginMethodIDP, ip, protocol, oidcTokenFields) } return UserExists(username) } @@ -2232,6 +2232,7 @@ func ValidateFolder(folder *vfs.BaseVirtualFolder) error { // ValidateUser returns an error if the user is not valid // FIXME: this should be defined as User struct method func ValidateUser(user *User) error { + user.OIDCCustomFields = nil user.SetEmptySecretsIfNil() buildUserHomeDir(user) if err := validateBaseParams(user); err != nil { @@ -3004,8 +3005,8 @@ func getPreLoginHookResponse(loginMethod, ip, protocol string, userAsJSON []byte return cmd.Output() } -func executePreLoginHook(username, loginMethod, ip, protocol string) (User, error) { - u, userAsJSON, err := getUserAndJSONForHook(username) +func executePreLoginHook(username, loginMethod, ip, protocol string, oidcTokenFields *map[string]interface{}) (User, error) { + u, userAsJSON, err := getUserAndJSONForHook(username, oidcTokenFields) if err != nil { return u, err } @@ -3210,7 +3211,7 @@ func doExternalAuth(username, password string, pubKey []byte, keyboardInteractiv ) (User, error) { var user User - u, userAsJSON, err := getUserAndJSONForHook(username) + u, userAsJSON, err := getUserAndJSONForHook(username, nil) if err != nil { return user, err } @@ -3290,7 +3291,7 @@ func doPluginAuth(username, password string, pubKey []byte, ip, protocol string, ) (User, error) { var user User - u, userAsJSON, err := getUserAndJSONForHook(username) + u, userAsJSON, err := getUserAndJSONForHook(username, nil) if err != nil { return user, err } @@ -3355,7 +3356,7 @@ func doPluginAuth(username, password string, pubKey []byte, ip, protocol string, return provider.userExists(user.Username) } -func getUserAndJSONForHook(username string) (User, []byte, error) { +func getUserAndJSONForHook(username string, oidcTokenFields *map[string]interface{}) (User, []byte, error) { var userAsJSON []byte u, err := provider.userExists(username) if err != nil { @@ -3369,6 +3370,7 @@ func getUserAndJSONForHook(username string) (User, []byte, error) { }, } } + u.OIDCCustomFields = oidcTokenFields userAsJSON, err = json.Marshal(u) if err != nil { return u, userAsJSON, err diff --git a/docs/full-configuration.md b/docs/full-configuration.md index b7c288b8..1bc61f19 100644 --- a/docs/full-configuration.md +++ b/docs/full-configuration.md @@ -254,6 +254,7 @@ The configuration file contains the following sections: - `redirect_base_url`, string. Defines the base URL to redirect to after OpenID authentication. The suffix `/web/oidc/redirect` will be added to this base URL, adding also the `web_root` if configured. Default: blank. - `username_field`, string. Defines the ID token claims field to map to the SFTPGo username. Default: blank. - `role_field`, string. Defines the optional ID token claims field to map to a SFTPGo role. If the defined ID token claims field is set to `admin` the authenticated user is mapped to an SFTPGo admin. You don't need to specify this field if you want to use OpenID only for the Web Client UI. Default: blank. + - `custom_fields`, list of strings. Custom token claims fields to pass to the pre-login hook. Default: empty. - `security`, struct. Defines security headers to add to HTTP responses and allows to restrict allowed hosts. The following parameters are supported: - `enabled`, boolean. Set to `true` to enable security configurations. Default: `false`. - `allowed_hosts`, list of strings. Fully qualified domain names that are allowed. An empty list allows any and all host names. Default: empty. diff --git a/docs/oidc.md b/docs/oidc.md index 3e3b20fa..1b3cb6d7 100644 --- a/docs/oidc.md +++ b/docs/oidc.md @@ -42,7 +42,8 @@ Add the following configuration parameters to the SFTPGo configuration file (or "config_url": "http://192.168.1.12:8086/auth/realms/sftpgo", "redirect_base_url": "http://192.168.1.50:8080", "username_field": "preferred_username", - "role_field": "sftpgo_role" + "role_field": "sftpgo_role", + "custom_fields": [] } ... ``` @@ -99,3 +100,29 @@ And the following is an example ID token which allows the SFTPGo user `user1` to ``` SFTPGo users (not admins) can be created/updated after successful OpenID authentication by defining a [pre-login hook](./dynamic-user-mod.md). +You can use the `custom_fields` configuration parameter to define the token claims field names to pass to the pre-login hook, these fields are useful for implementing custom logic when creating/updating the SFTPGo user within the hook. +For example you can set the field `sftpgo_home_dir` in your identity provider and add it to the `custom_fields` in the SFTPGo configuration like this: + +```json +... + "oidc": { + "client_id": "sftpgo-client", + "client_secret": "jRsmE0SWnuZjP7djBqNq0mrf8QN77j2c", + "config_url": "http://192.168.1.12:8086/auth/realms/sftpgo", + "redirect_base_url": "http://192.168.1.50:8080", + "username_field": "preferred_username", + "role_field": "sftpgo_role", + "custom_fields": ["sftpgo_home_dir"] + } +... +``` + +The pre-login hook will receive a JSON serialized user with the following field: + +```json +... + "oidc_custom_fields": { + "sftpgo_home_dir": "configured value" + }, +... +``` diff --git a/go.mod b/go.mod index 8e939b78..0b2dd090 100644 --- a/go.mod +++ b/go.mod @@ -50,7 +50,7 @@ require ( github.com/rs/cors v1.8.2 github.com/rs/xid v1.4.0 github.com/rs/zerolog v1.26.2-0.20220312163309-e9344a8c507b - github.com/sftpgo/sdk v0.1.1-0.20220327080604-3c0f878c8c37 + github.com/sftpgo/sdk v0.1.1-0.20220412171743-453880fab5f7 github.com/shirou/gopsutil/v3 v3.22.3 github.com/spf13/afero v1.8.2 github.com/spf13/cobra v1.4.0 @@ -64,11 +64,11 @@ require ( go.etcd.io/bbolt v1.3.6 go.uber.org/automaxprocs v1.5.1 gocloud.dev v0.25.0 - golang.org/x/crypto v0.0.0-20220331220935-ae2d96664a29 - golang.org/x/net v0.0.0-20220401154927-543a649e0bdd - golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a - golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f - golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 + golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 + golang.org/x/net v0.0.0-20220412020605-290c469a71a5 + golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 + golang.org/x/sys v0.0.0-20220412071739-889880a91fd5 + golang.org/x/time v0.0.0-20220411224347-583f2d630306 google.golang.org/api v0.74.0 gopkg.in/natefinch/lumberjack.v2 v2.0.0 ) @@ -105,7 +105,7 @@ require ( github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.2 // indirect github.com/google/go-cmp v0.5.7 // indirect - github.com/googleapis/gax-go/v2 v2.2.0 // indirect + github.com/googleapis/gax-go/v2 v2.3.0 // indirect github.com/googleapis/go-type-adapters v1.0.0 // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect github.com/hashicorp/hcl v1.0.0 // indirect @@ -149,7 +149,7 @@ require ( golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3 // indirect golang.org/x/text v0.3.7 // indirect golang.org/x/tools v0.1.10 // indirect - golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect + golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f // indirect google.golang.org/appengine v1.6.7 // indirect google.golang.org/genproto v0.0.0-20220407144326-9054f6ed7bac // indirect google.golang.org/grpc v1.45.0 // indirect @@ -162,6 +162,6 @@ require ( replace ( github.com/jlaffaye/ftp => github.com/drakkan/ftp v0.0.0-20201114075148-9b9adce499a9 - golang.org/x/crypto => github.com/drakkan/crypto v0.0.0-20220404114519-57edd90b9b42 - golang.org/x/net => github.com/drakkan/net v0.0.0-20220403065115-db06d28f9f8d + golang.org/x/crypto => github.com/drakkan/crypto v0.0.0-20220412172350-e76a61f8e7d2 + golang.org/x/net => github.com/drakkan/net v0.0.0-20220412172245-b4d0d6443325 ) diff --git a/go.sum b/go.sum index 552e8260..13b34f6e 100644 --- a/go.sum +++ b/go.sum @@ -232,12 +232,12 @@ github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/ github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/yU9ko= github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= -github.com/drakkan/crypto v0.0.0-20220404114519-57edd90b9b42 h1:zEfdtweSYZtEJqrUuezFPsfuvsSdNlbcpi3jlPUQqBc= -github.com/drakkan/crypto v0.0.0-20220404114519-57edd90b9b42/go.mod h1:SiM6ypd8Xu1xldObYtbDztuUU7xUzMnUULfphXFZmro= +github.com/drakkan/crypto v0.0.0-20220412172350-e76a61f8e7d2 h1:5XmEywX1u5gPgOC+MJuTwLtjMd6gC6t40W+dBgbriSE= +github.com/drakkan/crypto v0.0.0-20220412172350-e76a61f8e7d2/go.mod h1:SiM6ypd8Xu1xldObYtbDztuUU7xUzMnUULfphXFZmro= github.com/drakkan/ftp v0.0.0-20201114075148-9b9adce499a9 h1:LPH1dEblAOO/LoG7yHPMtBLXhQmjaga91/DDjWk9jWA= github.com/drakkan/ftp v0.0.0-20201114075148-9b9adce499a9/go.mod h1:2lmrmq866uF2tnje75wQHzmPXhmSWUt7Gyx2vgK1RCU= -github.com/drakkan/net v0.0.0-20220403065115-db06d28f9f8d h1:pFFnOn4oQ+0Ewvn4/K41uW6troPfOwMeEHN7RBgIaA4= -github.com/drakkan/net v0.0.0-20220403065115-db06d28f9f8d/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +github.com/drakkan/net v0.0.0-20220412172245-b4d0d6443325 h1:yPXArUzpptMAZ95OJHLh4rAG/VMpSqU7R63Tw7Ui22Y= +github.com/drakkan/net v0.0.0-20220412172245-b4d0d6443325/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= github.com/eikenb/pipeat v0.0.0-20210730190139-06b3e6902001 h1:/ZshrfQzayqRSBDodmp3rhNCHJCff+utvgBuWRbiqu4= github.com/eikenb/pipeat v0.0.0-20210730190139-06b3e6902001/go.mod h1:kltMsfRMTHSFdMbK66XdS8mfMW77+FZA1fGY1xYMF84= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= @@ -406,8 +406,9 @@ github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+ github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pfu6SK+H1/DsU0= github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM= -github.com/googleapis/gax-go/v2 v2.2.0 h1:s7jOdKSaksJVOxE0Y/S32otcfiP+UQ0cL8/GTKaONwE= github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/OthfcblKl4IGNaM= +github.com/googleapis/gax-go/v2 v2.3.0 h1:nRJtk3y8Fm770D42QV6T90ZnvFZyk7agSo3Q+Z9p3WI= +github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99EXz9pXxye9YM= github.com/googleapis/go-type-adapters v1.0.0 h1:9XdMn+d/G57qq1s8dNc5IesGCXHf6V2HZ2JwRxfA2tA= github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4= github.com/googleapis/google-cloud-go-testing v0.0.0-20200911160855-bcd43fbb19e8/go.mod h1:dvDLG8qkwmyD9a/MJJN3XJcT3xFxOKAvTZGvuZmac9g= @@ -685,8 +686,8 @@ github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= github.com/secsy/goftp v0.0.0-20200609142545-aa2de14babf4 h1:PT+ElG/UUFMfqy5HrxJxNzj3QBOf7dZwupeVC+mG1Lo= -github.com/sftpgo/sdk v0.1.1-0.20220327080604-3c0f878c8c37 h1:ESruo35Pb9cCgaGslAmw6leGhzeL0pLzD6o+z9gsZeQ= -github.com/sftpgo/sdk v0.1.1-0.20220327080604-3c0f878c8c37/go.mod h1:m5J7DH8unhD5RUsREFRiidP8zgBjup0+iQaxQnYHJOM= +github.com/sftpgo/sdk v0.1.1-0.20220412171743-453880fab5f7 h1:y1N2hPOqO1sTCwvtlKWrAiLBLOfThPuE17Tvju1wohs= +github.com/sftpgo/sdk v0.1.1-0.20220412171743-453880fab5f7/go.mod h1:m5J7DH8unhD5RUsREFRiidP8zgBjup0+iQaxQnYHJOM= github.com/shirou/gopsutil/v3 v3.22.3 h1:UebRzEomgMpv61e3hgD1tGooqX5trFbdU/ehphbHd00= github.com/shirou/gopsutil/v3 v3.22.3/go.mod h1:D01hZJ4pVHPpCTZ3m3T2+wDF2YAGfd+H4ifUguaQzHM= github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4= @@ -838,8 +839,9 @@ golang.org/x/oauth2 v0.0.0-20210819190943-2bc19b11175f/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20211005180243-6b3c2da341f1/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= -golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a h1:qfl7ob3DIEs3Ml9oLuPwY2N04gymzAW04WsUQHIClgM= golang.org/x/oauth2 v0.0.0-20220309155454-6242fa91716a/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= +golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 h1:OSnWWcOd/CtWQC2cYSBgbTSJv3ciqd8r54ySIW2y3RE= +golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -932,8 +934,8 @@ golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220328115105-d36c6a25d886/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220330033206-e17cdc41300f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f h1:8w7RhxzTVgUzw/AH/9mUV5q0vMgy40SQRursCcfmkCw= -golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220412071739-889880a91fd5 h1:NubxfvTRuNb4RVzWrIDAUzUvREH1HkCD4JjyQTSG9As= +golang.org/x/sys v0.0.0-20220412071739-889880a91fd5/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -951,8 +953,9 @@ golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxb golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20211116232009-f0f3c7e86c11/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= -golang.org/x/time v0.0.0-20220224211638-0e9765cccd65 h1:M73Iuj3xbbb9Uk1DYhzydthsj6oOd6l9bpuFcNoUvTs= golang.org/x/time v0.0.0-20220224211638-0e9765cccd65/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.0.0-20220411224347-583f2d630306 h1:+gHMid33q6pen7kv9xvT+JRinntgeXO2AeZVd0AWD3w= +golang.org/x/time v0.0.0-20220411224347-583f2d630306/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= @@ -1022,8 +1025,9 @@ golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f h1:GGU+dLjvlC3qDwqYgL6UgRmHXhOOgns0bZu2Ty5mm6U= +golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE= google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M= google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg= diff --git a/httpd/httpd_test.go b/httpd/httpd_test.go index c3f69427..c183b4d0 100644 --- a/httpd/httpd_test.go +++ b/httpd/httpd_test.go @@ -511,6 +511,9 @@ func TestBasicUserHandling(t *testing.T) { user.AdditionalInfo = "some free text" user.Filters.TLSUsername = sdk.TLSUsernameCN user.Email = "user@example.net" + user.OIDCCustomFields = &map[string]interface{}{ + "field1": "value1", + } user.Filters.WebClient = append(user.Filters.WebClient, sdk.WebClientPubKeyChangeDisabled, sdk.WebClientWriteDisabled) originalUser := user @@ -520,6 +523,7 @@ func TestBasicUserHandling(t *testing.T) { user, _, err = httpdtest.GetUserByUsername(defaultUsername, http.StatusOK) assert.NoError(t, err) + assert.Nil(t, user.OIDCCustomFields) user.Email = "invalid@email" _, body, err := httpdtest.UpdateUser(user, http.StatusBadRequest, "") diff --git a/httpd/oidc.go b/httpd/oidc.go index 534b80d0..11950855 100644 --- a/httpd/oidc.go +++ b/httpd/oidc.go @@ -75,7 +75,9 @@ type OIDC struct { // is mapped to an SFTPGo admin. // You don't need to specify this field if you want to use OpenID only for the // Web Client UI - RoleField string `json:"role_field" mapstructure:"role_field"` + RoleField string `json:"role_field" mapstructure:"role_field"` + // Custom token claims fields to pass to the pre-login hook + CustomFields []string `json:"custom_fields" mapstructure:"custom_fields"` provider *oidc.Provider verifier OIDCTokenVerifier providerLogoutURL string @@ -160,21 +162,22 @@ func newOIDCPendingAuth(audience tokenAudience) oidcPendingAuth { } type oidcToken struct { - AccessToken string `json:"access_token"` - TokenType string `json:"token_type,omitempty"` - RefreshToken string `json:"refresh_token,omitempty"` - ExpiresAt int64 `json:"expires_at,omitempty"` - SessionID string `json:"session_id"` - IDToken string `json:"id_token"` - Nonce string `json:"nonce"` - Username string `json:"username"` - Permissions []string `json:"permissions"` - Role interface{} `json:"role"` - Cookie string `json:"cookie"` - UsedAt int64 `json:"used_at"` + AccessToken string `json:"access_token"` + TokenType string `json:"token_type,omitempty"` + RefreshToken string `json:"refresh_token,omitempty"` + ExpiresAt int64 `json:"expires_at,omitempty"` + SessionID string `json:"session_id"` + IDToken string `json:"id_token"` + Nonce string `json:"nonce"` + Username string `json:"username"` + Permissions []string `json:"permissions"` + Role interface{} `json:"role"` + CustomFields *map[string]interface{} `json:"custom_fields,omitempty"` + Cookie string `json:"cookie"` + UsedAt int64 `json:"used_at"` } -func (t *oidcToken) parseClaims(claims map[string]interface{}, usernameField, roleField string) error { +func (t *oidcToken) parseClaims(claims map[string]interface{}, usernameField, roleField string, customFields []string) error { getClaimsFields := func() []string { keys := make([]string, 0, len(claims)) for k := range claims { @@ -195,6 +198,21 @@ func (t *oidcToken) parseClaims(claims map[string]interface{}, usernameField, ro t.Role = role } } + t.CustomFields = nil + if len(customFields) > 0 { + for _, field := range customFields { + if val, ok := claims[field]; ok { + if t.CustomFields == nil { + customFields := make(map[string]interface{}) + t.CustomFields = &customFields + } + logger.Debug(logSender, "", "custom field %#v found in token claims", field) + (*t.CustomFields)[field] = val + } else { + logger.Info(logSender, "", "custom field %#v not found in token claims", field) + } + } + } sid, ok := claims["sid"].(string) if ok { t.SessionID = sid @@ -300,7 +318,7 @@ func (t *oidcToken) getUser(r *http.Request) error { return nil } ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr) - user, err := dataprovider.GetUserAfterIDPAuth(t.Username, ipAddr, common.ProtocolOIDC) + user, err := dataprovider.GetUserAfterIDPAuth(t.Username, ipAddr, common.ProtocolOIDC, t.CustomFields) if err != nil { return err } @@ -616,7 +634,7 @@ func (s *httpdServer) handleOIDCRedirect(w http.ResponseWriter, r *http.Request) if !oauth2Token.Expiry.IsZero() { token.ExpiresAt = util.GetTimeAsMsSinceEpoch(oauth2Token.Expiry) } - if err = token.parseClaims(claims, s.binding.OIDC.UsernameField, s.binding.OIDC.RoleField); err != nil { + if err = token.parseClaims(claims, s.binding.OIDC.UsernameField, s.binding.OIDC.RoleField, s.binding.OIDC.CustomFields); err != nil { logger.Debug(logSender, "", "unable to parse oidc token claims: %v", err) setFlashMessage(w, r, fmt.Sprintf("Unable to parse OpenID token claims: %v", err)) doRedirect() diff --git a/httpd/oidc_test.go b/httpd/oidc_test.go index 9f37a460..5cabaccf 100644 --- a/httpd/oidc_test.go +++ b/httpd/oidc_test.go @@ -878,7 +878,6 @@ func TestOIDCPreLoginHook(t *testing.T) { u := dataprovider.User{ BaseUser: sdk.BaseUser{ Username: username, - Password: "unused", HomeDir: filepath.Join(os.TempDir(), username), Status: 1, Permissions: map[string][]string{ @@ -897,6 +896,7 @@ func TestOIDCPreLoginHook(t *testing.T) { err = dataprovider.Initialize(newProviderConf, "..", true) assert.NoError(t, err) server := getTestOIDCServer() + server.binding.OIDC.CustomFields = []string{"field1", "field2"} err = server.binding.OIDC.initialize() assert.NoError(t, err) server.initializeRouter() @@ -949,7 +949,7 @@ func TestOIDCPreLoginHook(t *testing.T) { Nonce: authReq.Nonce, Expiry: time.Now().Add(5 * time.Minute), } - setIDTokenClaims(idToken, []byte(`{"preferred_username":"`+username+`"}`)) + setIDTokenClaims(idToken, []byte(`{"preferred_username":"`+username+`","field1":"value1","field2":"value2","field3":"value3"}`)) server.binding.OIDC.verifier = &mockOIDCVerifier{ err: nil, token: idToken, @@ -989,6 +989,7 @@ func getTestOIDCServer() *httpdServer { RedirectBaseURL: "http://127.0.0.1:8081/", UsernameField: "preferred_username", RoleField: "sftpgo_role", + CustomFields: nil, }, }, enableWebAdmin: true, diff --git a/openapi/openapi.yaml b/openapi/openapi.yaml index 8de9d089..f21e62b3 100644 --- a/openapi/openapi.yaml +++ b/openapi/openapi.yaml @@ -5070,6 +5070,10 @@ components: additional_info: type: string description: Free form text field for external systems + oidc_custom_fields: + type: object + additionalProperties: true + description: 'This field is passed to the pre-login hook if custom OIDC token fields have been configured. Field values can be of any type (this is a free form object) and depend on the type of the configured OIDC token fields' AdminFilters: type: object properties: diff --git a/sftpgo.json b/sftpgo.json index 81eb6ae0..373100e8 100644 --- a/sftpgo.json +++ b/sftpgo.json @@ -237,7 +237,8 @@ "config_url": "", "redirect_base_url": "", "username_field": "", - "role_field": "" + "role_field": "", + "custom_fields": [] }, "security": { "enabled": false, diff --git a/vfs/cryptfs.go b/vfs/cryptfs.go index 5c69c3df..9a0515dc 100644 --- a/vfs/cryptfs.go +++ b/vfs/cryptfs.go @@ -203,14 +203,18 @@ func (fs *CryptFs) ReadDir(dirname string) ([]os.FileInfo, error) { if err != nil { return nil, err } - list, err := f.Readdir(-1) + entries, err := f.ReadDir(-1) f.Close() if err != nil { return nil, err } - result := make([]os.FileInfo, 0, len(list)) - for _, info := range list { - result = append(result, fs.ConvertFileInfo(info)) + result := make([]os.FileInfo, len(entries)) + for idx, entry := range entries { + info, err := entry.Info() + if err != nil { + return nil, err + } + result[idx] = fs.ConvertFileInfo(info) } return result, nil } diff --git a/vfs/osfs.go b/vfs/osfs.go index bc7d2323..c75c2733 100644 --- a/vfs/osfs.go +++ b/vfs/osfs.go @@ -3,6 +3,7 @@ package vfs import ( "fmt" "io" + "io/fs" "net/http" "os" "path" @@ -170,12 +171,20 @@ func (*OsFs) ReadDir(dirname string) ([]os.FileInfo, error) { if err != nil { return nil, err } - list, err := f.Readdir(-1) + entries, err := f.ReadDir(-1) f.Close() if err != nil { return nil, err } - return list, nil + result := make([]fs.FileInfo, len(entries)) + for idx, entry := range entries { + info, err := entry.Info() + if err != nil { + return nil, err + } + result[idx] = info + } + return result, nil } // IsUploadResumeSupported returns true if resuming uploads is supported