sftpfs: map path resolution error to permission denied

Fixes #543

.github/workflows/development.yml

@@ -2,7 +2,7 @@ name: CI
 
 on:
   push:
-    branches: [main]
+    branches: [2.1.x]
   pull_request:
 
 jobs:

.github/workflows/docker.yml

@@ -4,8 +4,6 @@ on:
   #schedule:
   #  - cron: '0 4 * * *' # everyday at 4:00 AM UTC
   push:
-    branches:
-      - main
     tags:
       - v*
   pull_request:

.github/workflows/release.yml

@@ -5,7 +5,7 @@ on:
     tags: 'v*'
 
 env:
-  GO_VERSION: 1.16.5
+  GO_VERSION: 1.16.8
 
 jobs:
   prepare-sources-with-deps:

cmd/portable.go

@@ -1,3 +1,4 @@
+//go:build !noportable
 // +build !noportable
 
 package cmd

cmd/portable_disabled.go

@@ -1,3 +1,4 @@
+//go:build noportable
 // +build noportable
 
 package cmd

cmd/root.go

@@ -71,6 +71,7 @@ var (
 )
 
 func init() {
+	rootCmd.CompletionOptions.DisableDefaultCmd = true
 	rootCmd.Flags().BoolP("version", "v", false, "")
 	rootCmd.Version = version.GetAsString()
 	rootCmd.SetVersionTemplate(`{{printf "SFTPGo "}}{{printf "%s" .Version}}

common/common.go

@@ -409,9 +409,8 @@ func (c *Configuration) IsAtomicUploadEnabled() bool {
 }
 
 // GetProxyListener returns a wrapper for the given listener that supports the
-// HAProxy Proxy Protocol or nil if the proxy protocol is not configured
+// HAProxy Proxy Protocol
 func (c *Configuration) GetProxyListener(listener net.Listener) (*proxyproto.Listener, error) {
-	var proxyListener *proxyproto.Listener
 	var err error
 	if c.ProxyProtocol > 0 {
 		var policyFunc func(upstream net.Addr) (proxyproto.Policy, error)
@@ -433,12 +432,13 @@ func (c *Configuration) GetProxyListener(listener net.Listener) (*proxyproto.Lis
 				}
 			}
 		}
-		proxyListener = &proxyproto.Listener{
-			Listener: listener,
-			Policy:   policyFunc,
-		}
+		return &proxyproto.Listener{
+			Listener:          listener,
+			Policy:            policyFunc,
+			ReadHeaderTimeout: 5 * time.Second,
+		}, nil
 	}
-	return proxyListener, nil
+	return nil, errors.New("proxy protocol not configured")
 }
 
 // ExecuteStartupHook runs the startup hook if defined

common/common_test.go

@@ -730,6 +730,26 @@ func TestParseAllowedIPAndRanges(t *testing.T) {
 	assert.False(t, allow[1](net.ParseIP("172.16.1.1")))
 }
 
+func TestHideConfidentialData(t *testing.T) {
+	for _, provider := range []vfs.FilesystemProvider{vfs.S3FilesystemProvider, vfs.GCSFilesystemProvider,
+		vfs.AzureBlobFilesystemProvider, vfs.CryptedFilesystemProvider, vfs.SFTPFilesystemProvider} {
+		u := dataprovider.User{
+			FsConfig: vfs.Filesystem{
+				Provider: provider,
+			},
+		}
+		u.PrepareForRendering()
+		f := vfs.BaseVirtualFolder{
+			FsConfig: vfs.Filesystem{
+				Provider: provider,
+			},
+		}
+		f.PrepareForRendering()
+	}
+	a := dataprovider.Admin{}
+	a.HideConfidentialData()
+}
+
 func BenchmarkBcryptHashing(b *testing.B) {
 	bcryptPassword := "bcryptpassword"
 	for i := 0; i < b.N; i++ {

common/connection.go

@@ -21,8 +21,11 @@ import (
 // BaseConnection defines common fields for a connection using any supported protocol
 type BaseConnection struct {
 	// last activity for this connection.
-	// Since this is accessed atomically we put as first element of the struct achieve 64 bit alignment
+	// Since this field is accessed atomically we put it as first element of the struct to achieve 64 bit alignment
 	lastActivity int64
+	// unique ID for a transfer.
+	// This field is accessed atomically so we put it at the beginning of the struct to achieve 64 bit alignment
+	transferID uint64
 	// Unique identifier for the connection
 	ID string
 	// user associated with this connection if any
@@ -32,7 +35,6 @@ type BaseConnection struct {
 	protocol   string
 	remoteAddr string
 	sync.RWMutex
-	transferID      uint64
 	activeTransfers []ActiveTransfer
 }
 

common/defender.go

@@ -236,16 +236,26 @@ func (d *memoryDefender) GetHosts() []*DefenderEntry {
 
 	var result []*DefenderEntry
 	for k, v := range d.banned {
-		result = append(result, &DefenderEntry{
-			IP:      k,
-			BanTime: v,
-		})
+		if v.After(time.Now()) {
+			result = append(result, &DefenderEntry{
+				IP:      k,
+				BanTime: v,
+			})
+		}
 	}
 	for k, v := range d.hosts {
-		result = append(result, &DefenderEntry{
-			IP:    k,
-			Score: v.TotalScore,
-		})
+		score := 0
+		for _, event := range v.Events {
+			if event.dateTime.Add(time.Duration(d.config.ObservationTime) * time.Minute).After(time.Now()) {
+				score += event.score
+			}
+		}
+		if score > 0 {
+			result = append(result, &DefenderEntry{
+				IP:    k,
+				Score: score,
+			})
+		}
 	}
 
 	return result
@@ -257,17 +267,27 @@ func (d *memoryDefender) GetHost(ip string) (*DefenderEntry, error) {
 	defer d.RUnlock()
 
 	if banTime, ok := d.banned[ip]; ok {
-		return &DefenderEntry{
-			IP:      ip,
-			BanTime: banTime,
-		}, nil
+		if banTime.After(time.Now()) {
+			return &DefenderEntry{
+				IP:      ip,
+				BanTime: banTime,
+			}, nil
+		}
 	}
 
-	if ev, ok := d.hosts[ip]; ok {
-		return &DefenderEntry{
-			IP:    ip,
-			Score: ev.TotalScore,
-		}, nil
+	if hs, ok := d.hosts[ip]; ok {
+		score := 0
+		for _, event := range hs.Events {
+			if event.dateTime.Add(time.Duration(d.config.ObservationTime) * time.Minute).After(time.Now()) {
+				score += event.score
+			}
+		}
+		if score > 0 {
+			return &DefenderEntry{
+				IP:    ip,
+				Score: score,
+			}, nil
+		}
 	}
 
 	return nil, dataprovider.NewRecordNotFoundError("host not found")
@@ -339,8 +359,11 @@ func (d *memoryDefender) AddEvent(ip string, event HostEvent) {
 	}
 
 	// ignore events for already banned hosts
-	if _, ok := d.banned[ip]; ok {
-		return
+	if v, ok := d.banned[ip]; ok {
+		if v.After(time.Now()) {
+			return
+		}
+		delete(d.banned, ip)
 	}
 
 	var score int

common/defender_test.go

@@ -179,6 +179,77 @@ func TestBasicDefender(t *testing.T) {
 	assert.NoError(t, err)
 }
 
+func TestExpiredHostBans(t *testing.T) {
+	config := &DefenderConfig{
+		Enabled:            true,
+		BanTime:            10,
+		BanTimeIncrement:   2,
+		Threshold:          5,
+		ScoreInvalid:       2,
+		ScoreValid:         1,
+		ScoreLimitExceeded: 3,
+		ObservationTime:    15,
+		EntriesSoftLimit:   1,
+		EntriesHardLimit:   2,
+	}
+
+	d, err := newInMemoryDefender(config)
+	assert.NoError(t, err)
+
+	defender := d.(*memoryDefender)
+
+	testIP := "1.2.3.4"
+	defender.banned[testIP] = time.Now().Add(-24 * time.Hour)
+
+	// the ban is expired testIP should not be listed
+	res := defender.GetHosts()
+	assert.Len(t, res, 0)
+
+	assert.False(t, defender.IsBanned(testIP))
+	_, err = defender.GetHost(testIP)
+	assert.Error(t, err)
+	_, ok := defender.banned[testIP]
+	assert.True(t, ok)
+	// now add an event for an expired banned ip, it should be removed
+	defender.AddEvent(testIP, HostEventLoginFailed)
+	assert.False(t, defender.IsBanned(testIP))
+	entry, err := defender.GetHost(testIP)
+	assert.NoError(t, err)
+	assert.Equal(t, testIP, entry.IP)
+	assert.Empty(t, entry.GetBanTime())
+	assert.Equal(t, 1, entry.Score)
+
+	res = defender.GetHosts()
+	if assert.Len(t, res, 1) {
+		assert.Equal(t, testIP, res[0].IP)
+		assert.Empty(t, res[0].GetBanTime())
+		assert.Equal(t, 1, res[0].Score)
+	}
+
+	events := []hostEvent{
+		{
+			dateTime: time.Now().Add(-24 * time.Hour),
+			score:    2,
+		},
+		{
+			dateTime: time.Now().Add(-24 * time.Hour),
+			score:    3,
+		},
+	}
+
+	hs := hostScore{
+		Events:     events,
+		TotalScore: 5,
+	}
+
+	defender.hosts[testIP] = hs
+	// the recorded scored are too old
+	res = defender.GetHosts()
+	assert.Len(t, res, 0)
+	_, err = defender.GetHost(testIP)
+	assert.Error(t, err)
+}
+
 func TestLoadHostListFromFile(t *testing.T) {
 	_, err := loadHostListFromFile(".")
 	assert.Error(t, err)

config/config.go

@@ -147,7 +147,7 @@ func Init() {
 			MACs:                    []string{},
 			TrustedUserCAKeys:       []string{},
 			LoginBannerFile:         "",
-			EnabledSSHCommands:      sftpd.GetDefaultSSHCommands(),
+			EnabledSSHCommands:      []string{},
 			KeyboardInteractiveHook: "",
 			PasswordAuthentication:  true,
 		},
@@ -955,7 +955,7 @@ func setViperDefaults() {
 	viper.SetDefault("sftpd.macs", globalConf.SFTPD.MACs)
 	viper.SetDefault("sftpd.trusted_user_ca_keys", globalConf.SFTPD.TrustedUserCAKeys)
 	viper.SetDefault("sftpd.login_banner_file", globalConf.SFTPD.LoginBannerFile)
-	viper.SetDefault("sftpd.enabled_ssh_commands", globalConf.SFTPD.EnabledSSHCommands)
+	viper.SetDefault("sftpd.enabled_ssh_commands", sftpd.GetDefaultSSHCommands())
 	viper.SetDefault("sftpd.keyboard_interactive_auth_hook", globalConf.SFTPD.KeyboardInteractiveHook)
 	viper.SetDefault("sftpd.password_authentication", globalConf.SFTPD.PasswordAuthentication)
 	viper.SetDefault("ftpd.banner", globalConf.FTPD.Banner)

config/config_linux.go

@@ -1,3 +1,4 @@
+//go:build linux
 // +build linux
 
 package config

config/config_nolinux.go

@@ -1,3 +1,4 @@
+//go:build !linux
 // +build !linux
 
 package config

config/config_test.go

@@ -102,6 +102,35 @@ func TestEmptyBanner(t *testing.T) {
 	assert.NoError(t, err)
 }
 
+func TestEnabledSSHCommands(t *testing.T) {
+	reset()
+
+	configDir := ".."
+	confName := tempConfigName + ".json"
+	configFilePath := filepath.Join(configDir, confName)
+	err := config.LoadConfig(configDir, "")
+	assert.NoError(t, err)
+
+	reset()
+
+	sftpdConf := config.GetSFTPDConfig()
+	sftpdConf.EnabledSSHCommands = []string{"scp"}
+	c := make(map[string]sftpd.Configuration)
+	c["sftpd"] = sftpdConf
+	jsonConf, err := json.Marshal(c)
+	assert.NoError(t, err)
+	err = os.WriteFile(configFilePath, jsonConf, os.ModePerm)
+	assert.NoError(t, err)
+	err = config.LoadConfig(configDir, confName)
+	assert.NoError(t, err)
+	sftpdConf = config.GetSFTPDConfig()
+	if assert.Len(t, sftpdConf.EnabledSSHCommands, 1) {
+		assert.Equal(t, "scp", sftpdConf.EnabledSSHCommands[0])
+	}
+	err = os.Remove(configFilePath)
+	assert.NoError(t, err)
+}
+
 func TestInvalidUploadMode(t *testing.T) {
 	reset()
 

dataprovider/bolt.go

@@ -1,3 +1,4 @@
+//go:build !nobolt
 // +build !nobolt
 
 package dataprovider

dataprovider/bolt_disabled.go

@@ -1,3 +1,4 @@
+//go:build nobolt
 // +build nobolt
 
 package dataprovider

dataprovider/dataprovider.go

@@ -1560,6 +1560,7 @@ func createUserPasswordHash(user *User) error {
 // ValidateFolder returns an error if the folder is not valid
 // FIXME: this should be defined as Folder struct method
 func ValidateFolder(folder *vfs.BaseVirtualFolder) error {
+	folder.FsConfig.SetEmptySecretsIfNil()
 	if folder.Name == "" {
 		return &ValidationError{err: "folder name is mandatory"}
 	}

dataprovider/mysql.go

@@ -1,3 +1,4 @@
+//go:build !nomysql
 // +build !nomysql
 
 package dataprovider

dataprovider/mysql_disabled.go

@@ -1,3 +1,4 @@
+//go:build nomysql
 // +build nomysql
 
 package dataprovider

dataprovider/pgsql.go

@@ -1,3 +1,4 @@
+//go:build !nopgsql
 // +build !nopgsql
 
 package dataprovider

dataprovider/pgsql_disabled.go

@@ -1,3 +1,4 @@
+//go:build nopgsql
 // +build nopgsql
 
 package dataprovider

dataprovider/sqlite.go

@@ -1,3 +1,4 @@
+//go:build !nosqlite
 // +build !nosqlite
 
 package dataprovider

dataprovider/sqlite_disabled.go

@@ -1,3 +1,4 @@
+//go:build nosqlite
 // +build nosqlite
 
 package dataprovider

dataprovider/user.go

@@ -344,17 +344,31 @@ func (u *User) hideConfidentialData() {
 	u.Password = ""
 	switch u.FsConfig.Provider {
 	case vfs.S3FilesystemProvider:
-		u.FsConfig.S3Config.AccessSecret.Hide()
+		if u.FsConfig.S3Config.AccessSecret != nil {
+			u.FsConfig.S3Config.AccessSecret.Hide()
+		}
 	case vfs.GCSFilesystemProvider:
-		u.FsConfig.GCSConfig.Credentials.Hide()
+		if u.FsConfig.GCSConfig.Credentials != nil {
+			u.FsConfig.GCSConfig.Credentials.Hide()
+		}
 	case vfs.AzureBlobFilesystemProvider:
-		u.FsConfig.AzBlobConfig.AccountKey.Hide()
-		u.FsConfig.AzBlobConfig.SASURL.Hide()
+		if u.FsConfig.AzBlobConfig.AccountKey != nil {
+			u.FsConfig.AzBlobConfig.AccountKey.Hide()
+		}
+		if u.FsConfig.AzBlobConfig.SASURL != nil {
+			u.FsConfig.AzBlobConfig.SASURL.Hide()
+		}
 	case vfs.CryptedFilesystemProvider:
-		u.FsConfig.CryptConfig.Passphrase.Hide()
+		if u.FsConfig.CryptConfig.Passphrase != nil {
+			u.FsConfig.CryptConfig.Passphrase.Hide()
+		}
 	case vfs.SFTPFilesystemProvider:
-		u.FsConfig.SFTPConfig.Password.Hide()
-		u.FsConfig.SFTPConfig.PrivateKey.Hide()
+		if u.FsConfig.SFTPConfig.Password != nil {
+			u.FsConfig.SFTPConfig.Password.Hide()
+		}
+		if u.FsConfig.SFTPConfig.PrivateKey != nil {
+			u.FsConfig.SFTPConfig.PrivateKey.Hide()
+		}
 	}
 }
 

docker/README.md

@@ -4,10 +4,10 @@ SFTPGo provides an official Docker image, it is available on both [Docker Hub](h
 
 ## Supported tags and respective Dockerfile links
 
-- [v2.1.0, v2.1, v2, latest](https://github.com/drakkan/sftpgo/blob/v2.1.0/Dockerfile)
-- [v2.1.0-alpine, v2.1-alpine, v2-alpine, alpine](https://github.com/drakkan/sftpgo/blob/v2.1.0/Dockerfile.alpine)
-- [v2.1.0-slim, v2.1-slim, v2-slim, slim](https://github.com/drakkan/sftpgo/blob/v2.1.0/Dockerfile)
-- [v2.1.0-alpine-slim, v2.1-alpine-slim, v2-alpine-slim, alpine-slim](https://github.com/drakkan/sftpgo/blob/v2.1.0/Dockerfile.alpine)
+- [v2.1.2, v2.1, v2, latest](https://github.com/drakkan/sftpgo/blob/v2.1.2/Dockerfile)
+- [v2.1.2-alpine, v2.1-alpine, v2-alpine, alpine](https://github.com/drakkan/sftpgo/blob/v2.1.2/Dockerfile.alpine)
+- [v2.1.2-slim, v2.1-slim, v2-slim, slim](https://github.com/drakkan/sftpgo/blob/v2.1.2/Dockerfile)
+- [v2.1.2-alpine-slim, v2.1-alpine-slim, v2-alpine-slim, alpine-slim](https://github.com/drakkan/sftpgo/blob/v2.1.2/Dockerfile.alpine)
 - [edge](../Dockerfile)
 - [edge-alpine](../Dockerfile.alpine)
 - [edge-slim](../Dockerfile)

ftpd/ftpd_test.go

@@ -2275,13 +2275,13 @@ func TestActiveModeDisabled(t *testing.T) {
 	if assert.NoError(t, err) {
 		code, response, err := client.SendCustomCommand("PORT 10,2,0,2,4,31")
 		assert.NoError(t, err)
-		assert.Equal(t, ftp.StatusCommandOK, code)
-		assert.Equal(t, "PORT command successful", response)
+		assert.Equal(t, ftp.StatusBadArguments, code)
+		assert.Equal(t, "Your request does not meet the configured security requirements", response)
 
 		code, response, err = client.SendCustomCommand("EPRT |1|132.235.1.2|6275|")
 		assert.NoError(t, err)
-		assert.Equal(t, ftp.StatusCommandOK, code)
-		assert.Equal(t, "EPRT command successful", response)
+		assert.Equal(t, ftp.StatusBadArguments, code)
+		assert.Equal(t, "Your request does not meet the configured security requirements", response)
 
 		err = client.Quit()
 		assert.NoError(t, err)

ftpd/internal_test.go

@@ -12,6 +12,7 @@ import (
 	"time"
 
 	"github.com/eikenb/pipeat"
+	ftpserver "github.com/fclairamb/ftpserverlib"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
@@ -250,6 +251,7 @@ xr5cb9VBRBtB9aOKVfuRhpatAfS2Pzm2Htae9lFn7slGPUmu2hkjDw==
 )
 
 type mockFTPClientContext struct {
+	lastDataChannel ftpserver.DataChannel
 }
 
 func (cc mockFTPClientContext) Path() string {
@@ -294,6 +296,10 @@ func (cc mockFTPClientContext) GetLastCommand() string {
 	return ""
 }
 
+func (cc mockFTPClientContext) GetLastDataChannel() ftpserver.DataChannel {
+	return cc.lastDataChannel
+}
+
 // MockOsFs mockable OsFs
 type MockOsFs struct {
 	vfs.Fs

ftpd/server.go

@@ -94,7 +94,7 @@ func (s *Server) GetSettings() (*ftpserver.Settings, error) {
 		}
 	}
 	var ftpListener net.Listener
-	if common.Config.ProxyProtocol > 0 && s.binding.ApplyProxyConfig {
+	if s.binding.HasProxy() {
 		listener, err := net.Listen("tcp", s.binding.GetAddress())
 		if err != nil {
 			logger.Warn(logSender, "", "error starting listener on address %v: %v", s.binding.GetAddress(), err)
@@ -105,6 +105,9 @@ func (s *Server) GetSettings() (*ftpserver.Settings, error) {
 			logger.Warn(logSender, "", "error enabling proxy listener: %v", err)
 			return nil, err
 		}
+		if s.binding.TLSMode == 2 && s.tlsConfig != nil {
+			ftpListener = tls.NewListener(ftpListener, s.tlsConfig)
+		}
 	}
 
 	if s.binding.TLSMode < 0 || s.binding.TLSMode > 2 {
@@ -197,6 +200,14 @@ func (s *Server) AuthUser(cc ftpserver.ClientContext, username, password string)
 	return connection, nil
 }
 
+// WrapPassiveListener implements the MainDriverExtensionPassiveWrapper interface
+func (s *Server) WrapPassiveListener(listener net.Listener) (net.Listener, error) {
+	if s.binding.HasProxy() {
+		return common.Config.GetProxyListener(listener)
+	}
+	return listener, nil
+}
+
 // VerifyConnection checks whether a user should be authenticated using a client certificate without prompting for a password
 func (s *Server) VerifyConnection(cc ftpserver.ClientContext, user string, tlsConn *tls.Conn) (ftpserver.ClientDriver, error) {
 	if !s.binding.isMutualTLSEnabled() {

go.mod

@@ -3,71 +3,62 @@ module github.com/drakkan/sftpgo
 go 1.16
 
 require (
-	cloud.google.com/go/storage v1.15.0
-	github.com/Azure/azure-storage-blob-go v0.13.0
+	cloud.google.com/go/storage v1.16.1
+	github.com/Azure/azure-storage-blob-go v0.14.0
 	github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962
-	github.com/StackExchange/wmi v0.0.0-20210224194228-fe8f1750fd46 // indirect
 	github.com/alexedwards/argon2id v0.0.0-20210511081203-7d35d68092b8
-	github.com/aws/aws-sdk-go v1.38.61
+	github.com/aws/aws-sdk-go v1.40.41
 	github.com/cockroachdb/cockroach-go/v2 v2.1.1
 	github.com/eikenb/pipeat v0.0.0-20210603033007-44fc3ffce52b
-	github.com/fclairamb/ftpserverlib v0.13.3-0.20210614220040-27dccea41813
-	github.com/frankban/quicktest v1.13.0 // indirect
-	github.com/go-chi/chi/v5 v5.0.3
+	github.com/fclairamb/ftpserverlib v0.15.1-0.20210910204600-c38788485016
+	github.com/frankban/quicktest v1.13.1 // indirect
+	github.com/go-chi/chi/v5 v5.0.4
 	github.com/go-chi/jwtauth/v5 v5.0.1
 	github.com/go-chi/render v1.0.1
-	github.com/go-ole/go-ole v1.2.5 // indirect
 	github.com/go-sql-driver/mysql v1.6.0
-	github.com/goccy/go-json v0.7.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
 	github.com/grandcat/zeroconf v1.0.0
 	github.com/hashicorp/go-retryablehttp v0.7.0
 	github.com/jlaffaye/ftp v0.0.0-20201112195030-9aae4d151126
-	github.com/klauspost/compress v1.13.1
-	github.com/klauspost/cpuid/v2 v2.0.6 // indirect
-	github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect
-	github.com/lestrrat-go/jwx v1.2.1
-	github.com/lib/pq v1.10.2
-	github.com/magiconair/properties v1.8.5 // indirect
-	github.com/mattn/go-sqlite3 v1.14.7
-	github.com/miekg/dns v1.1.42 // indirect
+	github.com/klauspost/compress v1.13.5
+	github.com/klauspost/cpuid/v2 v2.0.9 // indirect
+	github.com/lestrrat-go/jwx v1.2.6
+	github.com/lib/pq v1.10.3
+	github.com/mattn/go-sqlite3 v1.14.8
+	github.com/miekg/dns v1.1.43 // indirect
 	github.com/minio/sio v0.3.0
 	github.com/otiai10/copy v1.6.0
-	github.com/pelletier/go-toml v1.9.3 // indirect
-	github.com/pires/go-proxyproto v0.5.0
-	github.com/pkg/sftp v1.13.1
+	github.com/pires/go-proxyproto v0.6.1
+	github.com/pkg/sftp v1.13.3
 	github.com/prometheus/client_golang v1.11.0
-	github.com/prometheus/common v0.29.0 // indirect
-	github.com/rs/cors v1.7.1-0.20200626170627-8b4a00bd362b
+	github.com/prometheus/common v0.30.0 // indirect
+	github.com/rs/cors v1.8.0
 	github.com/rs/xid v1.3.0
-	github.com/rs/zerolog v1.23.0
+	github.com/rs/zerolog v1.25.0
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/shirou/gopsutil/v3 v3.21.5
+	github.com/shirou/gopsutil/v3 v3.21.8
 	github.com/spf13/afero v1.6.0
-	github.com/spf13/cast v1.3.1 // indirect
-	github.com/spf13/cobra v1.1.3
-	github.com/spf13/jwalterweatherman v1.1.0 // indirect
-	github.com/spf13/viper v1.7.1
+	github.com/spf13/cobra v1.2.1
+	github.com/spf13/viper v1.8.1
 	github.com/stretchr/testify v1.7.0
-	github.com/studio-b12/gowebdav v0.0.0-20210427212133-86f8378cf140
+	github.com/studio-b12/gowebdav v0.0.0-20210630100626-7ff61aa87be8
 	github.com/yl2chen/cidranger v1.0.2
 	go.etcd.io/bbolt v1.3.6
 	go.uber.org/automaxprocs v1.4.0
-	gocloud.dev v0.23.0
-	gocloud.dev/secrets/hashivault v0.23.0
-	golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a
-	golang.org/x/net v0.0.0-20210614182718-04defd469f4e
-	golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1
-	golang.org/x/time v0.0.0-20210611083556-38a9dc6acbc6
-	google.golang.org/api v0.48.0
-	google.golang.org/genproto v0.0.0-20210614182748-5b3b54cad159 // indirect
-	gopkg.in/ini.v1 v1.62.0 // indirect
+	gocloud.dev v0.24.0
+	gocloud.dev/secrets/hashivault v0.24.0
+	golang.org/x/crypto v0.0.0-20210817164053-32db794688a5
+	golang.org/x/net v0.0.0-20210907225631-ff17edfbf26d
+	golang.org/x/sys v0.0.0-20210910150752-751e447fb3d0
+	golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac
+	google.golang.org/api v0.56.0
+	google.golang.org/genproto v0.0.0-20210909211513-a8c4777a87af // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
 )
 
 replace (
+	github.com/eikenb/pipeat => github.com/drakkan/pipeat v0.0.0-20210805162858-70e57fa8a639
 	github.com/jlaffaye/ftp => github.com/drakkan/ftp v0.0.0-20201114075148-9b9adce499a9
-	golang.org/x/crypto => github.com/drakkan/crypto v0.0.0-20210515063737-edf1d3b63536
-	golang.org/x/net => github.com/drakkan/net v0.0.0-20210615043241-a7f9e02422df
+	golang.org/x/crypto => github.com/drakkan/crypto v0.0.0-20210908103413-a132997f748f
+	golang.org/x/net => github.com/drakkan/net v0.0.0-20210908102438-2debf45fec0b
 )

httpclient/httpclient.go

@@ -190,7 +190,10 @@ func Get(url string) (*http.Response, error) {
 		return nil, err
 	}
 	addHeaders(req, url)
-	return GetHTTPClient().Do(req)
+	client := GetHTTPClient()
+	defer client.CloseIdleConnections()
+
+	return client.Do(req)
 }
 
 // Post issues a POST to the specified URL
@@ -201,7 +204,10 @@ func Post(url string, contentType string, body io.Reader) (*http.Response, error
 	}
 	req.Header.Set("Content-Type", contentType)
 	addHeaders(req, url)
-	return GetHTTPClient().Do(req)
+	client := GetHTTPClient()
+	defer client.CloseIdleConnections()
+
+	return client.Do(req)
 }
 
 // RetryableGet issues a GET to the specified URL using the retryable client
@@ -211,7 +217,10 @@ func RetryableGet(url string) (*http.Response, error) {
 		return nil, err
 	}
 	addHeadersToRetryableReq(req, url)
-	return GetRetraybleHTTPClient().Do(req)
+	client := GetRetraybleHTTPClient()
+	defer client.HTTPClient.CloseIdleConnections()
+
+	return client.Do(req)
 }
 
 // RetryablePost issues a POST to the specified URL using the retryable client
@@ -222,7 +231,10 @@ func RetryablePost(url string, contentType string, body io.Reader) (*http.Respon
 	}
 	req.Header.Set("Content-Type", contentType)
 	addHeadersToRetryableReq(req, url)
-	return GetRetraybleHTTPClient().Do(req)
+	client := GetRetraybleHTTPClient()
+	defer client.HTTPClient.CloseIdleConnections()
+
+	return client.Do(req)
 }
 
 func addHeaders(req *http.Request, url string) {

httpd/api_utils.go

@@ -363,7 +363,7 @@ func parseRangeRequest(bytesRange string, size int64) (int64, int64, error) {
 
 func updateLoginMetrics(user *dataprovider.User, ip string, err error) {
 	metrics.AddLoginAttempt(dataprovider.LoginMethodPassword)
-	if err != nil && err != common.ErrInternalFailure {
+	if err != nil && err != common.ErrInternalFailure && err != common.ErrNoCredentials {
 		logger.ConnectionFailedLog(user.Username, ip, dataprovider.LoginMethodPassword, common.ProtocolHTTP, err.Error())
 		event := common.HostEventLoginFailed
 		if _, ok := err.(*dataprovider.RecordNotFoundError); ok {

httpd/httpd_test.go

@@ -5944,6 +5944,11 @@ func TestWebAdminSetupMock(t *testing.T) {
 	rr = executeRequest(req)
 	checkResponseCode(t, http.StatusFound, rr)
 	assert.Equal(t, webAdminSetupPath, rr.Header().Get("Location"))
+	req, err = http.NewRequest(http.MethodGet, webClientLoginPath, nil)
+	assert.NoError(t, err)
+	rr = executeRequest(req)
+	checkResponseCode(t, http.StatusFound, rr)
+	assert.Equal(t, webAdminSetupPath, rr.Header().Get("Location"))
 
 	csrfToken, err := getCSRFToken(httpBaseURL + webAdminSetupPath)
 	assert.NoError(t, err)

httpd/schema/openapi.yaml

@@ -17,7 +17,7 @@ info:
     Several storage backends are supported and they are configurable per user, so you can serve a local directory for a user and an S3 bucket (or part of it) for another one.
     SFTPGo also supports virtual folders, a virtual folder can use any of the supported storage backends. So you can have, for example, an S3 user that exposes a GCS bucket (or part of it) on a specified path and an encrypted local filesystem on another one.
     Virtual folders can be private or shared among multiple users, for shared virtual folders you can define different quota limits for each user.
-  version: 2.1.0
+  version: 2.1.2
   contact:
     name: API support
     url: 'https://github.com/drakkan/sftpgo'

httpd/server.go

@@ -530,9 +530,9 @@ func (s *httpdServer) initializeRouter() {
 	s.router = chi.NewRouter()
 
 	s.router.Use(middleware.RequestID)
+	s.router.Use(s.checkConnection)
 	s.router.Use(logger.NewStructuredLogger(logger.GetLogger()))
 	s.router.Use(recoverer)
-	s.router.Use(s.checkConnection)
 	s.router.Use(middleware.GetHead)
 	s.router.Use(middleware.StripSlashes)
 

httpd/webclient.go

@@ -253,6 +253,10 @@ func renderCredentialsPage(w http.ResponseWriter, r *http.Request, pwdError stri
 }
 
 func handleClientWebLogin(w http.ResponseWriter, r *http.Request) {
+	if !dataprovider.HasAdmin() {
+		http.Redirect(w, r, webAdminSetupPath, http.StatusFound)
+		return
+	}
 	renderClientLoginPage(w, "")
 }
 

init/sftpgo.service

@@ -12,6 +12,7 @@ Environment=SFTPGO_LOG_FILE_PATH=
 EnvironmentFile=-/etc/sftpgo/sftpgo.env
 ExecStart=/usr/bin/sftpgo serve
 ExecReload=/bin/kill -s HUP $MAINPID
+LimitNOFILE=8192
 KillMode=mixed
 PrivateTmp=true
 Restart=always

kms/aws.go

@@ -1,3 +1,4 @@
+//go:build !noawskms
 // +build !noawskms
 
 package kms

kms/aws_disabled.go

@@ -1,3 +1,4 @@
+//go:build noawskms
 // +build noawskms
 
 package kms

kms/gcp.go

@@ -1,3 +1,4 @@
+//go:build !nogcpkms
 // +build !nogcpkms
 
 package kms

kms/gcp_disabled.go

@@ -1,3 +1,4 @@
+//go:build nogcpkms
 // +build nogcpkms
 
 package kms

kms/vault.go

@@ -1,3 +1,4 @@
+//go:build !novaultkms
 // +build !novaultkms
 
 package kms

kms/vault_disabled.go

@@ -1,3 +1,4 @@
+//go:build novaultkms
 // +build novaultkms
 
 package kms

logger/journald.go

@@ -1,3 +1,4 @@
+//go:build linux
 // +build linux
 
 package logger

logger/journald_nolinux.go

@@ -1,3 +1,4 @@
+//go:build !linux
 // +build !linux
 
 package logger

metrics/metrics.go

@@ -1,3 +1,4 @@
+//go:build !nometrics
 // +build !nometrics
 
 // Package metrics provides Prometheus metrics support

service/service_portable.go

@@ -1,3 +1,4 @@
+//go:build !noportable
 // +build !noportable
 
 package service

service/signals_unix.go

@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 package service

sftpd/cmd_unix.go

@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 package sftpd

sftpd/internal_unix_test.go

@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 package sftpd

sftpd/server.go

@@ -241,16 +241,14 @@ func (c *Configuration) Initialize(configDir string) error {
 				return
 			}
 
-			if binding.ApplyProxyConfig {
+			if binding.ApplyProxyConfig && common.Config.ProxyProtocol > 0 {
 				proxyListener, err := common.Config.GetProxyListener(listener)
 				if err != nil {
 					logger.Warn(logSender, "", "error enabling proxy listener: %v", err)
 					exitChannel <- err
 					return
 				}
-				if proxyListener != nil {
-					listener = proxyListener
-				}
+				listener = proxyListener
 			}
 
 			exitChannel <- c.serve(listener, serverConfig)

templates/webadmin/adminsetup.html

@@ -99,15 +99,15 @@
                                         class="user-custom">
                                         <div class="form-group">
                                             <input type="text" class="form-control form-control-user-custom" id="inputUsername"
-                                                name="username" placeholder="Username" value="{{.Username}}" maxlength="60" required>
+                                                name="username" placeholder="Username" value="{{.Username}}" required>
                                         </div>
                                         <div class="form-group">
                                             <input type="password" class="form-control form-control-user-custom" id="inputPassword"
-                                                name="password" placeholder="Password" maxlength="60" required>
+                                                name="password" placeholder="Password" required>
                                         </div>
                                         <div class="form-group">
                                             <input type="password" class="form-control form-control-user-custom" id="inputConfirmPassword"
-                                                name="confirm_password" placeholder="Repeat password" maxlength="60" required>
+                                                name="confirm_password" placeholder="Repeat password" required>
                                         </div>
                                         <input type="hidden" name="_form_token" value="{{.CSRFToken}}">
                                         <button type="submit" class="btn btn-primary btn-user-custom btn-block">

version/version.go

@@ -2,7 +2,7 @@ package version
 
 import "strings"
 
-const version = "2.1.0-dev"
+const version = "2.1.2-dev"
 
 var (
 	commit = ""

vfs/azblobfs.go

@@ -1,3 +1,4 @@
+//go:build !noazblob
 // +build !noazblob
 
 package vfs

vfs/azblobfs_disabled.go

@@ -1,3 +1,4 @@
+//go:build noazblob
 // +build noazblob
 
 package vfs

vfs/folder.go

@@ -103,17 +103,31 @@ func (v *BaseVirtualFolder) IsLocalOrLocalCrypted() bool {
 func (v *BaseVirtualFolder) hideConfidentialData() {
 	switch v.FsConfig.Provider {
 	case S3FilesystemProvider:
-		v.FsConfig.S3Config.AccessSecret.Hide()
+		if v.FsConfig.S3Config.AccessSecret != nil {
+			v.FsConfig.S3Config.AccessSecret.Hide()
+		}
 	case GCSFilesystemProvider:
-		v.FsConfig.GCSConfig.Credentials.Hide()
+		if v.FsConfig.GCSConfig.Credentials != nil {
+			v.FsConfig.GCSConfig.Credentials.Hide()
+		}
 	case AzureBlobFilesystemProvider:
-		v.FsConfig.AzBlobConfig.AccountKey.Hide()
-		v.FsConfig.AzBlobConfig.SASURL.Hide()
+		if v.FsConfig.AzBlobConfig.AccountKey != nil {
+			v.FsConfig.AzBlobConfig.AccountKey.Hide()
+		}
+		if v.FsConfig.AzBlobConfig.SASURL != nil {
+			v.FsConfig.AzBlobConfig.SASURL.Hide()
+		}
 	case CryptedFilesystemProvider:
-		v.FsConfig.CryptConfig.Passphrase.Hide()
+		if v.FsConfig.CryptConfig.Passphrase != nil {
+			v.FsConfig.CryptConfig.Passphrase.Hide()
+		}
 	case SFTPFilesystemProvider:
-		v.FsConfig.SFTPConfig.Password.Hide()
-		v.FsConfig.SFTPConfig.PrivateKey.Hide()
+		if v.FsConfig.SFTPConfig.Password != nil {
+			v.FsConfig.SFTPConfig.Password.Hide()
+		}
+		if v.FsConfig.SFTPConfig.PrivateKey != nil {
+			v.FsConfig.SFTPConfig.PrivateKey.Hide()
+		}
 	}
 }
 

vfs/gcsfs.go

@@ -1,3 +1,4 @@
+//go:build !nogcs
 // +build !nogcs
 
 package vfs
@@ -5,7 +6,6 @@ package vfs
 import (
 	"context"
 	"encoding/json"
-	"errors"
 	"fmt"
 	"io"
 	"mime"
@@ -112,37 +112,18 @@ func (fs *GCSFs) ConnectionID() string {
 
 // Stat returns a FileInfo describing the named file
 func (fs *GCSFs) Stat(name string) (os.FileInfo, error) {
-	var result *FileInfo
-	var err error
 	if name == "" || name == "." {
 		err := fs.checkIfBucketExists()
 		if err != nil {
-			return result, err
+			return nil, err
 		}
 		return NewFileInfo(name, true, 0, time.Now(), false), nil
 	}
 	if fs.config.KeyPrefix == name+"/" {
 		return NewFileInfo(name, true, 0, time.Now(), false), nil
 	}
-	attrs, err := fs.headObject(name)
-	if err == nil {
-		objSize := attrs.Size
-		objectModTime := attrs.Updated
-		isDir := attrs.ContentType == dirMimeType || strings.HasSuffix(attrs.Name, "/")
-		return NewFileInfo(name, isDir, objSize, objectModTime, false), nil
-	}
-	if !fs.IsNotExist(err) {
-		return result, err
-	}
-	// now check if this is a prefix (virtual directory)
-	hasContents, err := fs.hasContents(name)
-	if err != nil {
-		return nil, err
-	}
-	if hasContents {
-		return NewFileInfo(name, true, 0, time.Now(), false), nil
-	}
-	return nil, errors.New("404 no such file or directory")
+	_, info, err := fs.getObjectStat(name)
+	return info, err
 }
 
 // Lstat returns a FileInfo describing the named file
@@ -229,7 +210,7 @@ func (fs *GCSFs) Rename(source, target string) error {
 	if source == target {
 		return nil
 	}
-	fi, err := fs.Stat(source)
+	realSourceName, fi, err := fs.getObjectStat(source)
 	if err != nil {
 		return err
 	}
@@ -241,8 +222,11 @@ func (fs *GCSFs) Rename(source, target string) error {
 		if hasContents {
 			return fmt.Errorf("cannot rename non empty directory: %#v", source)
 		}
+		if !strings.HasSuffix(target, "/") {
+			target += "/"
+		}
 	}
-	src := fs.svc.Bucket(fs.config.Bucket).Object(source)
+	src := fs.svc.Bucket(fs.config.Bucket).Object(realSourceName)
 	dst := fs.svc.Bucket(fs.config.Bucket).Object(target)
 	ctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))
 	defer cancelFn()
@@ -277,11 +261,18 @@ func (fs *GCSFs) Remove(name string, isDir bool) error {
 		if hasContents {
 			return fmt.Errorf("cannot remove non empty directory: %#v", name)
 		}
+		if !strings.HasSuffix(name, "/") {
+			name += "/"
+		}
 	}
 	ctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))
 	defer cancelFn()
 
 	err := fs.svc.Bucket(fs.config.Bucket).Object(name).Delete(ctx)
+	if fs.IsNotExist(err) && isDir {
+		// we can have directories without a trailing "/" (created using v2.1.0 and before)
+		err = fs.svc.Bucket(fs.config.Bucket).Object(strings.TrimSuffix(name, "/")).Delete(ctx)
+	}
 	metrics.GCSDeleteObjectCompleted(err)
 	return err
 }
@@ -292,6 +283,9 @@ func (fs *GCSFs) Mkdir(name string) error {
 	if !fs.IsNotExist(err) {
 		return err
 	}
+	if !strings.HasSuffix(name, "/") {
+		name += "/"
+	}
 	_, w, _, err := fs.Create(name, -1)
 	if err != nil {
 		return err
@@ -613,6 +607,36 @@ func (fs *GCSFs) resolve(name string, prefix string) (string, bool) {
 	return result, isDir
 }
 
+// getObjectStat returns the stat result and the real object name as first value
+func (fs *GCSFs) getObjectStat(name string) (string, os.FileInfo, error) {
+	attrs, err := fs.headObject(name)
+	if err == nil {
+		objSize := attrs.Size
+		objectModTime := attrs.Updated
+		isDir := attrs.ContentType == dirMimeType || strings.HasSuffix(attrs.Name, "/")
+		return name, NewFileInfo(name, isDir, objSize, objectModTime, false), nil
+	}
+	if !fs.IsNotExist(err) {
+		return "", nil, err
+	}
+	// now check if this is a prefix (virtual directory)
+	hasContents, err := fs.hasContents(name)
+	if err != nil {
+		return "", nil, err
+	}
+	if hasContents {
+		return name, NewFileInfo(name, true, 0, time.Now(), false), nil
+	}
+	// finally check if this is an object with a trailing /
+	attrs, err = fs.headObject(name + "/")
+	if err != nil {
+		return "", nil, err
+	}
+	objSize := attrs.Size
+	objectModTime := attrs.Updated
+	return name + "/", NewFileInfo(name, true, objSize, objectModTime, false), nil
+}
+
 func (fs *GCSFs) checkIfBucketExists() error {
 	ctx, cancelFn := context.WithDeadline(context.Background(), time.Now().Add(fs.ctxTimeout))
 	defer cancelFn()

vfs/gcsfs_disabled.go

@@ -1,3 +1,4 @@
+//go:build nogcs
 // +build nogcs
 
 package vfs

vfs/s3fs.go

@@ -1,3 +1,4 @@
+//go:build !nos3
 // +build !nos3
 
 package vfs
@@ -16,6 +17,7 @@ import (
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/aws/aws-sdk-go/aws/credentials"
+	"github.com/aws/aws-sdk-go/aws/request"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/s3"
 	"github.com/aws/aws-sdk-go/service/s3/s3manager"
@@ -178,6 +180,17 @@ func (fs *S3Fs) Open(name string, offset int64) (File, *pipeat.PipeReaderAt, fun
 	}
 	ctx, cancelFn := context.WithCancel(context.Background())
 	downloader := s3manager.NewDownloaderWithClient(fs.svc)
+	if offset == 0 {
+		downloader.RequestOptions = append(downloader.RequestOptions, func(r *request.Request) {
+			chunkCtx, cancel := context.WithTimeout(r.Context(), 3*time.Minute)
+			r.SetContext(chunkCtx)
+
+			go func() {
+				<-ctx.Done()
+				cancel()
+			}()
+		})
+	}
 	var streamRange *string
 	if offset > 0 {
 		streamRange = aws.String(fmt.Sprintf("bytes=%v-", offset))
@@ -278,11 +291,19 @@ func (fs *S3Fs) Rename(source, target string) error {
 	defer cancelFn()
 	_, err = fs.svc.CopyObjectWithContext(ctx, &s3.CopyObjectInput{
 		Bucket:       aws.String(fs.config.Bucket),
-		CopySource:   aws.String(url.PathEscape(copySource)),
+		CopySource:   aws.String(pathEscape(copySource)),
 		Key:          aws.String(target),
 		StorageClass: utils.NilIfEmpty(fs.config.StorageClass),
 		ContentType:  utils.NilIfEmpty(contentType),
 	})
+	if err != nil {
+		metrics.S3CopyObjectCompleted(err)
+		return err
+	}
+	err = fs.svc.WaitUntilObjectExistsWithContext(ctx, &s3.HeadObjectInput{
+		Bucket: aws.String(fs.config.Bucket),
+		Key:    aws.String(target),
+	})
 	metrics.S3CopyObjectCompleted(err)
 	if err != nil {
 		return err
@@ -686,3 +707,14 @@ func (*S3Fs) Close() error {
 func (*S3Fs) GetAvailableDiskSize(dirName string) (*sftp.StatVFS, error) {
 	return nil, ErrStorageSizeUnavailable
 }
+
+// ideally we should simply use url.PathEscape:
+//
+// https://github.com/awsdocs/aws-doc-sdk-examples/blob/master/go/example_code/s3/s3_copy_object.go#L65
+//
+// but this cause issue with some vendors, see #483, the code below is copied from rclone
+func pathEscape(in string) string {
+	var u url.URL
+	u.Path = in
+	return strings.ReplaceAll(u.String(), "+", "%2B")
+}

vfs/s3fs_disabled.go

@@ -1,3 +1,4 @@
+//go:build nos3
 // +build nos3
 
 package vfs

vfs/sftpfs.go

@@ -455,6 +455,9 @@ func (*SFTPFs) IsNotExist(err error) bool {
 // IsPermission returns a boolean indicating whether the error is known to
 // report that permission is denied.
 func (*SFTPFs) IsPermission(err error) bool {
+	if _, ok := err.(*pathResolutionError); ok {
+		return true
+	}
 	return os.IsPermission(err)
 }
 
@@ -612,11 +615,11 @@ func (fs *SFTPFs) isSubDir(name string) error {
 	}
 	if len(name) < len(fs.config.Prefix) {
 		err := fmt.Errorf("path %#v is not inside: %#v", name, fs.config.Prefix)
-		return err
+		return &pathResolutionError{err: err.Error()}
 	}
 	if !strings.HasPrefix(name, fs.config.Prefix+"/") {
 		err := fmt.Errorf("path %#v is not inside: %#v", name, fs.config.Prefix)
-		return err
+		return &pathResolutionError{err: err.Error()}
 	}
 	return nil
 }

vfs/statvfs_fallback.go

@@ -1,3 +1,4 @@
+//go:build !darwin && !linux && !freebsd
 // +build !darwin,!linux,!freebsd
 
 package vfs

vfs/statvfs_linux.go

@@ -1,3 +1,4 @@
+//go:build linux
 // +build linux
 
 package vfs

vfs/statvfs_unix.go

@@ -1,3 +1,4 @@
+//go:build freebsd || darwin
 // +build freebsd darwin
 
 package vfs

vfs/sys_unix.go

@@ -1,3 +1,4 @@
+//go:build !windows
 // +build !windows
 
 package vfs

webdavd/server.go

@@ -367,7 +367,7 @@ func writeLog(r *http.Request, err error) {
 
 func updateLoginMetrics(user *dataprovider.User, ip, loginMethod string, err error) {
 	metrics.AddLoginAttempt(loginMethod)
-	if err != nil && err != common.ErrInternalFailure {
+	if err != nil && err != common.ErrInternalFailure && err != common.ErrNoCredentials {
 		logger.ConnectionFailedLog(user.Username, ip, loginMethod, common.ProtocolWebDAV, err.Error())
 		event := common.HostEventLoginFailed
 		if _, ok := err.(*dataprovider.RecordNotFoundError); ok {

webdavd/webdavd_test.go

@@ -14,6 +14,7 @@ import (
 	"os/exec"
 	"path"
 	"path/filepath"
+	"regexp"
 	"runtime"
 	"strings"
 	"sync"
@@ -651,6 +652,110 @@ func TestBasicHandlingCryptFs(t *testing.T) {
 	assert.Len(t, common.Connections.GetStats(), 0)
 }
 
+func TestLockAfterDelete(t *testing.T) {
+	u := getTestUser()
+	user, _, err := httpdtest.AddUser(u, http.StatusCreated)
+	assert.NoError(t, err)
+
+	client := getWebDavClient(user, false, nil)
+	assert.NoError(t, checkBasicFunc(client))
+	testFilePath := filepath.Join(homeBasePath, testFileName)
+	testFileSize := int64(65535)
+	err = createTestFile(testFilePath, testFileSize)
+	assert.NoError(t, err)
+	err = uploadFile(testFilePath, testFileName, testFileSize, client)
+	assert.NoError(t, err)
+	lockBody := `<?xml version="1.0" encoding="utf-8" ?><d:lockinfo xmlns:d="DAV:"><d:lockscope><d:exclusive/></d:lockscope><d:locktype><d:write/></d:locktype></d:lockinfo>`
+	req, err := http.NewRequest("LOCK", fmt.Sprintf("http://%v/%v", webDavServerAddr, testFileName), bytes.NewReader([]byte(lockBody)))
+	assert.NoError(t, err)
+	req.SetBasicAuth(u.Username, u.Password)
+	httpClient := httpclient.GetHTTPClient()
+	resp, err := httpClient.Do(req)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	response, err := io.ReadAll(resp.Body)
+	assert.NoError(t, err)
+	re := regexp.MustCompile(`\<D:locktoken><D:href>.*</D:href>`)
+	lockToken := string(re.Find(response))
+	lockToken = strings.Replace(lockToken, "<D:locktoken><D:href>", "", 1)
+	lockToken = strings.Replace(lockToken, "</D:href>", "", 1)
+	err = resp.Body.Close()
+	assert.NoError(t, err)
+
+	req, err = http.NewRequest(http.MethodDelete, fmt.Sprintf("http://%v/%v", webDavServerAddr, testFileName), nil)
+	assert.NoError(t, err)
+	req.Header.Set("If", fmt.Sprintf("(%v)", lockToken))
+	req.SetBasicAuth(u.Username, u.Password)
+	resp, err = httpClient.Do(req)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusNoContent, resp.StatusCode)
+	err = resp.Body.Close()
+	assert.NoError(t, err)
+	// if we try to lock again it must succeed, the lock must be deleted with the object
+	req, err = http.NewRequest("LOCK", fmt.Sprintf("http://%v/%v", webDavServerAddr, testFileName), bytes.NewReader([]byte(lockBody)))
+	assert.NoError(t, err)
+	req.SetBasicAuth(u.Username, u.Password)
+	resp, err = httpClient.Do(req)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusCreated, resp.StatusCode)
+	err = resp.Body.Close()
+	assert.NoError(t, err)
+
+	_, err = httpdtest.RemoveUser(user, http.StatusOK)
+	assert.NoError(t, err)
+	err = os.RemoveAll(user.GetHomeDir())
+	assert.NoError(t, err)
+}
+
+func TestRenameWithLock(t *testing.T) {
+	u := getTestUser()
+	user, _, err := httpdtest.AddUser(u, http.StatusCreated)
+	assert.NoError(t, err)
+
+	client := getWebDavClient(user, false, nil)
+	assert.NoError(t, checkBasicFunc(client))
+	testFilePath := filepath.Join(homeBasePath, testFileName)
+	testFileSize := int64(65535)
+	err = createTestFile(testFilePath, testFileSize)
+	assert.NoError(t, err)
+	err = uploadFile(testFilePath, testFileName, testFileSize, client)
+	assert.NoError(t, err)
+
+	lockBody := `<?xml version="1.0" encoding="utf-8" ?><d:lockinfo xmlns:d="DAV:"><d:lockscope><d:exclusive/></d:lockscope><d:locktype><d:write/></d:locktype></d:lockinfo>`
+	req, err := http.NewRequest("LOCK", fmt.Sprintf("http://%v/%v", webDavServerAddr, testFileName), bytes.NewReader([]byte(lockBody)))
+	assert.NoError(t, err)
+	req.SetBasicAuth(u.Username, u.Password)
+	httpClient := httpclient.GetHTTPClient()
+	resp, err := httpClient.Do(req)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	response, err := io.ReadAll(resp.Body)
+	assert.NoError(t, err)
+	re := regexp.MustCompile(`\<D:locktoken><D:href>.*</D:href>`)
+	lockToken := string(re.Find(response))
+	lockToken = strings.Replace(lockToken, "<D:locktoken><D:href>", "", 1)
+	lockToken = strings.Replace(lockToken, "</D:href>", "", 1)
+	err = resp.Body.Close()
+	assert.NoError(t, err)
+	// MOVE with a lock should succeeded
+	req, err = http.NewRequest("MOVE", fmt.Sprintf("http://%v/%v", webDavServerAddr, testFileName), nil)
+	assert.NoError(t, err)
+	req.Header.Set("If", fmt.Sprintf("(%v)", lockToken))
+	req.Header.Set("Overwrite", "T")
+	req.Header.Set("Destination", path.Join("/", testFileName+"1"))
+	req.SetBasicAuth(u.Username, u.Password)
+	resp, err = httpClient.Do(req)
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusCreated, resp.StatusCode)
+	err = resp.Body.Close()
+	assert.NoError(t, err)
+
+	_, err = httpdtest.RemoveUser(user, http.StatusOK)
+	assert.NoError(t, err)
+	err = os.RemoveAll(user.GetHomeDir())
+	assert.NoError(t, err)
+}
+
 func TestPropPatch(t *testing.T) {
 	u := getTestUser()
 	u.Username = u.Username + "1"