Mirrors/sftpgo
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2025-12-08 23:28:39 +03:00
Code Issues Packages Projects Releases Wiki Activity

backport OIDC related changes from main

Browse Source 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino
2022-07-23 15:31:57 +02:00
parent b34bc2b818
commit 2da19ef233
19 changed files with 364 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
httpd/httpd.go
View File

@@ -19,6 +19,7 @@ package httpd
import (
"crypto/sha256"
"errors"
"fmt"
"net"
"net/http"
@@ -410,6 +411,17 @@ type Binding struct {
// Enable the built-in client interface.
// You have to define TemplatesPath and StaticFilesPath for this to work
EnableWebClient bool `json:"enable_web_client" mapstructure:"enable_web_client"`
// Defines the login methods available for the WebAdmin and WebClient UIs:
//
// - 0 means any configured method: username/password login form and OIDC, if enabled
// - 1 means OIDC for the WebAdmin UI
// - 2 means OIDC for the WebClient UI
// - 4 means login form for the WebAdmin UI
// - 8 means login form for the WebClient UI
//
// You can combine the values. For example 3 means that you can only login using OIDC on
// both WebClient and WebAdmin UI.
EnabledLoginMethods int `json:"enabled_login_methods" mapstructure:"enabled_login_methods"`
// you also need to provide a certificate for enabling HTTPS
EnableHTTPS bool `json:"enable_https" mapstructure:"enable_https"`
// Certificate and matching private key for this specific binding, if empty the global
@@ -520,6 +532,66 @@ func (b *Binding) IsValid() bool {
return false
}
func (b *Binding) isWebAdminOIDCLoginDisabled() bool {
if b.EnableWebAdmin {
if b.EnabledLoginMethods == 0 {
return false
}
return b.EnabledLoginMethods&1 == 0
}
return false
}
func (b *Binding) isWebClientOIDCLoginDisabled() bool {
if b.EnableWebClient {
if b.EnabledLoginMethods == 0 {
return false
}
return b.EnabledLoginMethods&2 == 0
}
return false
}
func (b *Binding) isWebAdminLoginFormDisabled() bool {
if b.EnableWebAdmin {
if b.EnabledLoginMethods == 0 {
return false
}
return b.EnabledLoginMethods&4 == 0
}
return false
}
func (b *Binding) isWebClientLoginFormDisabled() bool {
if b.EnableWebClient {
if b.EnabledLoginMethods == 0 {
return false
}
return b.EnabledLoginMethods&8 == 0
}
return false
}
func (b *Binding) checkLoginMethods() error {
if b.isWebAdminLoginFormDisabled() && b.isWebAdminOIDCLoginDisabled() {
return errors.New("no login method available for WebAdmin UI")
}
if !b.isWebAdminOIDCLoginDisabled() {
if b.isWebAdminLoginFormDisabled() && !b.OIDC.hasRoles() {
return errors.New("no login method available for WebAdmin UI")
}
}
if b.isWebClientLoginFormDisabled() && b.isWebClientOIDCLoginDisabled() {
return errors.New("no login method available for WebClient UI")
}
if !b.isWebClientOIDCLoginDisabled() {
if b.isWebClientLoginFormDisabled() && !b.OIDC.isEnabled() {
return errors.New("no login method available for WebClient UI")
}
}
return nil
}
func (b *Binding) showAdminLoginURL() bool {
if !b.EnableWebAdmin {
return false
@@ -783,6 +855,10 @@ func (c *Conf) Initialize(configDir string, isShared int) error {
exitChannel <- err
return
}
if err := b.checkLoginMethods(); err != nil {
exitChannel <- err
return
}
server := newHttpdServer(b, staticFilesPath, c.SigningPassphrase, c.Cors, openAPIPath)
exitChannel <- server.listenAndServe()