Mirrors/sftpgo
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2025-12-07 06:40:54 +03:00
Code Issues Packages Projects Releases Wiki Activity

WebClient: allow to set TLS certificates

Browse Source 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino
2024-05-03 18:30:03 +02:00
parent 58a8b2b860
commit a1af33c6aa
13 changed files with 250 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
internal/dataprovider/dataprovider.go
View File

@@ -3037,27 +3037,31 @@ func validateFilterProtocols(filters *sdk.BaseUserFilters) error {
return nil
}
func validateTLSCerts(certs []string) error {
func validateTLSCerts(certs []string) ([]string, error) {
var validateCerts []string
for idx, cert := range certs {
if cert == "" {
continue
}
derBlock, _ := pem.Decode([]byte(cert))
if derBlock == nil {
return util.NewI18nError(
return nil, util.NewI18nError(
util.NewValidationError(fmt.Sprintf("invalid TLS certificate %d", idx)),
util.I18nErrorInvalidTLSCert,
)
}
cert, err := x509.ParseCertificate(derBlock.Bytes)
crt, err := x509.ParseCertificate(derBlock.Bytes)
if err != nil {
return util.NewI18nError(
return nil, util.NewI18nError(
util.NewValidationError(fmt.Sprintf("error parsing TLS certificate %d", idx)),
util.I18nErrorInvalidTLSCert,
)
}
if cert.PublicKeyAlgorithm == x509.RSA {
if rsaCert, ok := cert.PublicKey.(*rsa.PublicKey); ok {
if crt.PublicKeyAlgorithm == x509.RSA {
if rsaCert, ok := crt.PublicKey.(*rsa.PublicKey); ok {
if size := rsaCert.N.BitLen(); size < 2048 {
providerLog(logger.LevelError, "rsa cert with size %d not accepted, minimum 2048", size)
return util.NewI18nError(
return nil, util.NewI18nError(
util.NewValidationError(fmt.Sprintf("invalid size %d for rsa cert at position %d, minimum 2048",
size, idx)),
util.I18nErrorKeySizeInvalid,
@@ -3065,8 +3069,9 @@ func validateTLSCerts(certs []string) error {
}
}
}
validateCerts = append(validateCerts, cert)
}
return nil
return validateCerts, nil
}
func validateBaseFilters(filters *sdk.BaseUserFilters) error {
@@ -3093,9 +3098,11 @@ func validateBaseFilters(filters *sdk.BaseUserFilters) error {
return util.NewValidationError(fmt.Sprintf("invalid TLS username: %q", filters.TLSUsername))
}
}
if err := validateTLSCerts(filters.TLSCerts); err != nil {
certs, err := validateTLSCerts(filters.TLSCerts)
if err != nil {
return err
}
filters.TLSCerts = certs
for _, opts := range filters.WebClient {
if !util.Contains(sdk.WebClientOptions, opts) {
return util.NewValidationError(fmt.Sprintf("invalid web client options %q", opts))