Mirrors/sftpgo
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2025-12-07 14:50:55 +03:00
Code Issues Packages Projects Releases Wiki Activity

move IP/Network lists to the data provider

Browse Source 
this is a backward incompatible change, all previous file based IP/network
lists will not work anymore

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino
2023-02-09 09:33:33 +01:00
parent 2412a0a369
commit 1b1745b7f7
103 changed files with 4958 additions and 1284 deletions
Download Patch File Download Diff File Expand all files Collapse all files

276
openapi/openapi.yaml
View File

@@ -6,6 +6,7 @@ tags:
- name: admins
- name: API keys
- name: connections
- name: IP Lists
- name: defender
- name: quota
- name: folders
@@ -23,12 +24,12 @@ info:
description: |
SFTPGo allows you to securely share your files over SFTP and optionally over HTTP/S, FTP/S and WebDAV as well.
Several storage backends are supported and they are configurable per-user, so you can serve a local directory for a user and an S3 bucket (or part of it) for another one.
SFTPGo also supports virtual folders, a virtual folder can use any of the supported storage backends. So you can have, for example, an S3 user that exposes a Google Cloud Storage bucket (or part of it) on a specified path and an encrypted local filesystem on another one.
SFTPGo also supports virtual folders, a virtual folder can use any of the supported storage backends. So you can have, for example, a user with the S3 backend mapping a Google Cloud Storage bucket (or part of it) on a specified path and an encrypted local filesystem on another one.
Virtual folders can be private or shared among multiple users, for shared virtual folders you can define different quota limits for each user.
SFTPGo supports groups to simplify the administration of multiple accounts by letting you assign settings once to a group, instead of multiple times to each individual user.
The SFTPGo WebClient allows end users to change their credentials, browse and manage their files in the browser and setup two-factor authentication which works with Authy, Google Authenticator and other compatible apps.
From the WebClient each authorized user can also create HTTP/S links to externally share files and folders securely, by setting limits to the number of downloads/uploads, protecting the share with a password, limiting access by source IP address, setting an automatic expiration date.
version: 2.4.3-dev
version: 2.4.4-dev
contact:
name: API support
url: 'https://github.com/drakkan/sftpgo'
@@ -783,6 +784,204 @@ paths:
$ref: '#/components/responses/InternalServerError'
default:
$ref: '#/components/responses/DefaultResponse'
/iplists/{type}:
parameters:
- name: type
in: path
description: IP list type
required: true
schema:
$ref: '#/components/schemas/IPListType'
get:
tags:
- IP Lists
summary: Get IP list entries
description: Returns an array with one or more IP list entry
operationId: get_ip_list_entries
parameters:
- in: query
name: filter
schema:
type: string
description: restrict results to ipornet matching or starting with this filter
- in: query
name: from
schema:
type: string
description: ipornet to start from
required: false
- in: query
name: limit
schema:
type: integer
minimum: 1
maximum: 500
default: 100
required: false
description: 'The maximum number of items to return. Max value is 500, default is 100'
- in: query
name: order
required: false
description: Ordering entries by ipornet field. Default ASC
schema:
type: string
enum:
- ASC
- DESC
example: ASC
responses:
'200':
description: successful operation
content:
application/json; charset=utf-8:
schema:
type: array
items:
$ref: '#/components/schemas/IPListEntry'
'400':
$ref: '#/components/responses/BadRequest'
'401':
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/Forbidden'
'500':
$ref: '#/components/responses/InternalServerError'
default:
$ref: '#/components/responses/DefaultResponse'
post:
tags:
- IP Lists
summary: Add a new IP list entry
description: Add an IP address or a CIDR network to a supported list
operationId: add_ip_list_entry
requestBody:
required: true
content:
application/json; charset=utf-8:
schema:
$ref: '#/components/schemas/IPListEntry'
responses:
'201':
description: successful operation
headers:
Location:
schema:
type: string
description: 'URI of the newly created object'
content:
application/json; charset=utf-8:
schema:
$ref: '#/components/schemas/ApiResponse'
example:
message: Entry added
'400':
$ref: '#/components/responses/BadRequest'
'401':
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/Forbidden'
'500':
$ref: '#/components/responses/InternalServerError'
default:
$ref: '#/components/responses/DefaultResponse'
/iplists/{type}/{ipornet}:
parameters:
- name: type
in: path
description: IP list type
required: true
schema:
$ref: '#/components/schemas/IPListType'
- name: ipornet
in: path
required: true
schema:
type: string
get:
tags:
- IP Lists
summary: Find entry by ipornet
description: Returns the entry with the given ipornet if it exists.
operationId: get_ip_list_by_ipornet
responses:
'200':
description: successful operation
content:
application/json; charset=utf-8:
schema:
$ref: '#/components/schemas/IPListEntry'
'400':
$ref: '#/components/responses/BadRequest'
'401':
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/Forbidden'
'404':
$ref: '#/components/responses/NotFound'
'500':
$ref: '#/components/responses/InternalServerError'
default:
$ref: '#/components/responses/DefaultResponse'
put:
tags:
- IP Lists
summary: Update IP list entry
description: Updates an existing IP list entry
operationId: update_ip_list_entry
requestBody:
required: true
content:
application/json; charset=utf-8:
schema:
$ref: '#/components/schemas/IPListEntry'
responses:
'200':
description: successful operation
content:
application/json; charset=utf-8:
schema:
$ref: '#/components/schemas/ApiResponse'
example:
message: Entry updated
'400':
$ref: '#/components/responses/BadRequest'
'401':
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/Forbidden'
'404':
$ref: '#/components/responses/NotFound'
'500':
$ref: '#/components/responses/InternalServerError'
default:
$ref: '#/components/responses/DefaultResponse'
delete:
tags:
- IP Lists
summary: Delete IP list entry
description: Deletes an existing IP list entry
operationId: delete_ip_list_entry
responses:
'200':
description: successful operation
content:
application/json; charset=utf-8:
schema:
$ref: '#/components/schemas/ApiResponse'
example:
message: Entry deleted
'400':
$ref: '#/components/responses/BadRequest'
'401':
$ref: '#/components/responses/Unauthorized'
'403':
$ref: '#/components/responses/Forbidden'
'404':
$ref: '#/components/responses/NotFound'
'500':
$ref: '#/components/responses/InternalServerError'
default:
$ref: '#/components/responses/DefaultResponse'
/defender/hosts:
get:
tags:
@@ -4616,7 +4815,8 @@ components:
- metadata_checks
- view_events
- manage_event_rules
- manager_roles
- manage_roles
- manage_ip_lists
description: |
Admin permissions:
* `*` - all permissions are granted
@@ -4638,7 +4838,8 @@ components:
* `metadata_checks` - view and start metadata checks is allowed
* `view_events` - view and search filesystem and provider events is allowed
* `manage_event_rules` - manage event actions and rules is allowed
* `manager_roles` - manage roles is allowed
* `manage_roles` - manage roles is allowed
* `manage_ip_lists` - manage global and ratelimter allow lists and defender block and safe lists is allowed
FsProviders:
type: integer
enum:
@@ -4903,6 +5104,26 @@ components:
TLS version:
* `12` - TLS 1.2
* `13` - TLS 1.3
IPListType:
type: integer
enum:
- 1
- 2
- 3
description: >
IP List types:
* `1` - allow list
* `2` - defender
* `3` - rate limiter safe list
IPListMode:
type: integer
enum:
- 1
- 2
description: >
IP list modes
* `1` - allow
* `2` - deny, supported for defender list type only
TOTPConfig:
type: object
properties:
@@ -4948,7 +5169,7 @@ components:
properties:
path:
type: string
description: 'exposed virtual path, if no other specific filter is defined, the filter applies for sub directories too. For example if filters are defined for the paths "/" and "/sub" then the filters for "/" are applied for any file outside the "/sub" directory'
description: 'virtual path as seen by users, if no other specific filter is defined, the filter applies for sub directories too. For example if filters are defined for the paths "/" and "/sub" then the filters for "/" are applied for any file outside the "/sub" directory'
allowed_patterns:
type: array
items:
@@ -5665,7 +5886,7 @@ components:
description: Last user login as unix timestamp in milliseconds. It is saved at most once every 10 minutes
role:
type: string
description: 'If set the admin can only administer users with the same role. Role admins cannot have the following permissions: "manage_admins", "manage_apikeys", "manage_system", "manage_event_rules", "manage_roles"'
description: 'If set the admin can only administer users with the same role. Role admins cannot have the following permissions: "manage_admins", "manage_apikeys", "manage_system", "manage_event_rules", "manage_roles", "manage_ip_lists"'
AdminProfile:
type: object
properties:
@@ -5823,7 +6044,7 @@ components:
properties:
path:
type: string
description: 'exposed virtual directory path, if no other specific retention is defined, the retention applies for sub directories too. For example if retention is defined for the paths "/" and "/sub" then the retention for "/" is applied for any file outside the "/sub" directory'
description: 'virtual directory path as seen by users, if no other specific retention is defined, the retention applies for sub directories too. For example if retention is defined for the paths "/" and "/sub" then the retention for "/" is applied for any file outside the "/sub" directory'
example: '/'
retention:
type: integer
@@ -5985,7 +6206,7 @@ components:
$ref: '#/components/schemas/TLSVersions'
force_passive_ip:
type: string
description: External IP address to expose for passive connections
description: External IP address for passive connections
passive_ip_overrides:
type: array
items:
@@ -6107,6 +6328,21 @@ components:
type: boolean
mfa:
$ref: '#/components/schemas/MFAStatus'
allow_list:
type: object
properties:
is_active:
type: boolean
rate_limiters:
type: object
properties:
is_active:
type: boolean
protocols:
type: array
items:
type: string
example: SSH
Share:
type: object
properties:
@@ -6827,6 +7063,30 @@ components:
type: array
items:
$ref: '#/components/schemas/EventActionMinimal'
IPListEntry:
type: object
properties:
ipornet:
type: string
description: IP address or network in CIDR format, for example `192.168.1.2/32`, `192.168.0.0/24`, `2001:db8::/32`
description:
type: string
description: optional description
type:
$ref: '#/components/schemas/IPListType'
mode:
$ref: '#/components/schemas/IPListMode'
protocols:
type: integer
description: Defines the protocol the entry applies to. `0` means all the supported protocols, 1 SSH, 2 FTP, 4 WebDAV, 8 HTTP. Protocols can be combined, for example 3 means SSH and FTP
created_at:
type: integer
format: int64
description: creation time as unix timestamp in milliseconds
updated_at:
type: integer
format: int64
description: last update time as unix timestamp in millisecond
ApiResponse:
type: object
properties: