beenull/sftpgo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

validate API key scope

Browse source 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino 2023-09-08 18:54:11 +02:00
parent 991739d47a
commit e8df1b6e4c
No known key found for this signature in database
GPG key ID: 935D2952DEC4EECF
2 changed files with 23 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
internal/httpd/httpd_test.go
View file

@ -14965,6 +14965,13 @@ func TestUserAPIKey(t *testing.T) {
apiKey, _, err = httpdtest.AddAPIKey(apiKey, http.StatusCreated) apiKey, _, err = httpdtest.AddAPIKey(apiKey, http.StatusCreated)
assert.NoError(t, err) assert.NoError(t, err)
adminAPIKey := dataprovider.APIKey{
Name: "testadminkey",
Scope: dataprovider.APIKeyScopeAdmin,
}
adminAPIKey, _, err = httpdtest.AddAPIKey(adminAPIKey, http.StatusCreated)
assert.NoError(t, err)
body := new(bytes.Buffer) body := new(bytes.Buffer)
writer := multipart.NewWriter(body) writer := multipart.NewWriter(body)
part, err := writer.CreateFormFile("filenames", "filenametest") part, err := writer.CreateFormFile("filenames", "filenametest")
@ -14993,6 +15000,12 @@ func TestUserAPIKey(t *testing.T) {
assert.NoError(t, err) assert.NoError(t, err)
assert.Len(t, dirEntries, 1) assert.Len(t, dirEntries, 1)
req, err = http.NewRequest(http.MethodGet, userDirsPath, nil)
assert.NoError(t, err)
setAPIKeyForReq(req, adminAPIKey.Key, user.Username)
rr = executeRequest(req)
checkResponseCode(t, http.StatusForbidden, rr)
user.Status = 0 user.Status = 0
user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "") user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "")
assert.NoError(t, err) assert.NoError(t, err)
@ -15069,6 +15082,9 @@ func TestUserAPIKey(t *testing.T) {
_, err = httpdtest.RemoveAPIKey(apiKeyNew, http.StatusOK) _, err = httpdtest.RemoveAPIKey(apiKeyNew, http.StatusOK)
assert.NoError(t, err) assert.NoError(t, err)
_, err = httpdtest.RemoveAPIKey(adminAPIKey, http.StatusOK)
assert.NoError(t, err)
} }
func TestWebClientViewPDF(t *testing.T) { func TestWebClientViewPDF(t *testing.T) {

7
internal/httpd/middleware.go
View file

@ -384,6 +384,13 @@ func checkAPIKeyAuth(tokenAuth *jwtauth.JWTAuth, scope dataprovider.APIKeyScope)
sendAPIResponse(w, r, errors.New("the provided api key is not valid"), "", http.StatusBadRequest) sendAPIResponse(w, r, errors.New("the provided api key is not valid"), "", http.StatusBadRequest)
return return
} }
if k.Scope != scope {
handleDefenderEventLoginFailed(util.GetIPFromRemoteAddress(r.RemoteAddr), dataprovider.ErrInvalidCredentials) //nolint:errcheck
logger.Debug(logSender, "", "unable to authenticate api key %q: invalid scope: got %d, wnated: %d",
apiKey, k.Scope, scope)
sendAPIResponse(w, r, fmt.Errorf("the provided api key is invalid for this request"), "", http.StatusForbidden)
return
}
if err := k.Authenticate(key); err != nil { if err := k.Authenticate(key); err != nil {
handleDefenderEventLoginFailed(util.GetIPFromRemoteAddress(r.RemoteAddr), dataprovider.ErrInvalidCredentials) //nolint:errcheck handleDefenderEventLoginFailed(util.GetIPFromRemoteAddress(r.RemoteAddr), dataprovider.ErrInvalidCredentials) //nolint:errcheck
logger.Debug(logSender, "", "unable to authenticate api key %q: %v", apiKey, err) logger.Debug(logSender, "", "unable to authenticate api key %q: %v", apiKey, err)