mirror of
https://github.com/drakkan/sftpgo.git
synced 2025-12-06 22:30:56 +03:00
refactor for secrets management in API and private key handling in SFTPFs
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino
@@ -27,7 +27,6 @@ import (
|
||||
|
||||
"github.com/drakkan/sftpgo/v2/internal/common"
|
||||
"github.com/drakkan/sftpgo/v2/internal/dataprovider"
|
||||
"github.com/drakkan/sftpgo/v2/internal/kms"
|
||||
"github.com/drakkan/sftpgo/v2/internal/logger"
|
||||
"github.com/drakkan/sftpgo/v2/internal/smtp"
|
||||
"github.com/drakkan/sftpgo/v2/internal/util"
|
||||
@@ -186,10 +185,7 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
|
||||
updatedUser.Filters.TOTPConfig = user.Filters.TOTPConfig
|
||||
updatedUser.LastPasswordChange = user.LastPasswordChange
|
||||
updatedUser.SetEmptySecretsIfNil()
|
||||
updateEncryptedSecrets(&updatedUser.FsConfig, user.FsConfig.S3Config.AccessSecret, user.FsConfig.AzBlobConfig.AccountKey,
|
||||
user.FsConfig.AzBlobConfig.SASURL, user.FsConfig.GCSConfig.Credentials, user.FsConfig.CryptConfig.Passphrase,
|
||||
user.FsConfig.SFTPConfig.Password, user.FsConfig.SFTPConfig.PrivateKey, user.FsConfig.SFTPConfig.KeyPassphrase,
|
||||
user.FsConfig.HTTPConfig.Password, user.FsConfig.HTTPConfig.APIKey)
|
||||
updateEncryptedSecrets(&updatedUser.FsConfig, &user.FsConfig)
|
||||
if claims.Role != "" {
|
||||
updatedUser.Role = claims.Role
|
||||
}
|
||||
@@ -275,58 +271,54 @@ func disconnectUser(username, admin, role string) {
|
||||
}
|
||||
}
|
||||
|
||||
func updateEncryptedSecrets(fsConfig *vfs.Filesystem, currentS3AccessSecret, currentAzAccountKey, currentAzSASUrl,
|
||||
currentGCSCredentials, currentCryptoPassphrase, currentSFTPPassword, currentSFTPKey, currentSFTPKeyPassphrase,
|
||||
currentHTTPPassword, currentHTTPAPIKey *kms.Secret) {
|
||||
func updateEncryptedSecrets(fsConfig *vfs.Filesystem, currentFsConfig *vfs.Filesystem) {
|
||||
// we use the new access secret if plain or empty, otherwise the old value
|
||||
switch fsConfig.Provider {
|
||||
case sdk.S3FilesystemProvider:
|
||||
if fsConfig.S3Config.AccessSecret.IsNotPlainAndNotEmpty() {
|
||||
fsConfig.S3Config.AccessSecret = currentS3AccessSecret
|
||||
fsConfig.S3Config.AccessSecret = currentFsConfig.S3Config.AccessSecret
|
||||
}
|
||||
case sdk.AzureBlobFilesystemProvider:
|
||||
if fsConfig.AzBlobConfig.AccountKey.IsNotPlainAndNotEmpty() {
|
||||
fsConfig.AzBlobConfig.AccountKey = currentAzAccountKey
|
||||
fsConfig.AzBlobConfig.AccountKey = currentFsConfig.AzBlobConfig.AccountKey
|
||||
}
|
||||
if fsConfig.AzBlobConfig.SASURL.IsNotPlainAndNotEmpty() {
|
||||
fsConfig.AzBlobConfig.SASURL = currentAzSASUrl
|
||||
fsConfig.AzBlobConfig.SASURL = currentFsConfig.AzBlobConfig.SASURL
|
||||
}
|
||||
case sdk.GCSFilesystemProvider:
|
||||
// for GCS credentials will be cleared if we enable automatic credentials
|
||||
// so keep the old credentials here if no new credentials are provided
|
||||
if !fsConfig.GCSConfig.Credentials.IsPlain() {
|
||||
fsConfig.GCSConfig.Credentials = currentGCSCredentials
|
||||
fsConfig.GCSConfig.Credentials = currentFsConfig.GCSConfig.Credentials
|
||||
}
|
||||
case sdk.CryptedFilesystemProvider:
|
||||
if fsConfig.CryptConfig.Passphrase.IsNotPlainAndNotEmpty() {
|
||||
fsConfig.CryptConfig.Passphrase = currentCryptoPassphrase
|
||||
fsConfig.CryptConfig.Passphrase = currentFsConfig.CryptConfig.Passphrase
|
||||
}
|
||||
case sdk.SFTPFilesystemProvider:
|
||||
updateSFTPFsEncryptedSecrets(fsConfig, currentSFTPPassword, currentSFTPKey, currentSFTPKeyPassphrase)
|
||||
updateSFTPFsEncryptedSecrets(fsConfig, currentFsConfig)
|
||||
case sdk.HTTPFilesystemProvider:
|
||||
updateHTTPFsEncryptedSecrets(fsConfig, currentHTTPPassword, currentHTTPAPIKey)
|
||||
updateHTTPFsEncryptedSecrets(fsConfig, currentFsConfig)
|
||||
}
|
||||
}
|
||||
|
||||
func updateSFTPFsEncryptedSecrets(fsConfig *vfs.Filesystem, currentSFTPPassword, currentSFTPKey,
|
||||
currentSFTPKeyPassphrase *kms.Secret,
|
||||
) {
|
||||
func updateSFTPFsEncryptedSecrets(fsConfig *vfs.Filesystem, currentFsConfig *vfs.Filesystem) {
|
||||
if fsConfig.SFTPConfig.Password.IsNotPlainAndNotEmpty() {
|
||||
fsConfig.SFTPConfig.Password = currentSFTPPassword
|
||||
fsConfig.SFTPConfig.Password = currentFsConfig.SFTPConfig.Password
|
||||
}
|
||||
if fsConfig.SFTPConfig.PrivateKey.IsNotPlainAndNotEmpty() {
|
||||
fsConfig.SFTPConfig.PrivateKey = currentSFTPKey
|
||||
fsConfig.SFTPConfig.PrivateKey = currentFsConfig.SFTPConfig.PrivateKey
|
||||
}
|
||||
if fsConfig.SFTPConfig.KeyPassphrase.IsNotPlainAndNotEmpty() {
|
||||
fsConfig.SFTPConfig.KeyPassphrase = currentSFTPKeyPassphrase
|
||||
fsConfig.SFTPConfig.KeyPassphrase = currentFsConfig.SFTPConfig.KeyPassphrase
|
||||
}
|
||||
}
|
||||
|
||||
func updateHTTPFsEncryptedSecrets(fsConfig *vfs.Filesystem, currentHTTPPassword, currentHTTPAPIKey *kms.Secret) {
|
||||
func updateHTTPFsEncryptedSecrets(fsConfig *vfs.Filesystem, currentFsConfig *vfs.Filesystem) {
|
||||
if fsConfig.HTTPConfig.Password.IsNotPlainAndNotEmpty() {
|
||||
fsConfig.HTTPConfig.Password = currentHTTPPassword
|
||||
fsConfig.HTTPConfig.Password = currentFsConfig.HTTPConfig.Password
|
||||
}
|
||||
if fsConfig.HTTPConfig.APIKey.IsNotPlainAndNotEmpty() {
|
||||
fsConfig.HTTPConfig.APIKey = currentHTTPAPIKey
|
||||
fsConfig.HTTPConfig.APIKey = currentFsConfig.HTTPConfig.APIKey
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user