mirror of
https://github.com/drakkan/sftpgo.git
synced 2025-12-06 22:30:56 +03:00
webdav: remove the username path prefix
so we have the same URIs for all protocols Fixes #293
This commit is contained in:
Nicola Murino
@@ -27,7 +27,6 @@ import (
|
|||||||
|
|
||||||
var (
|
var (
|
||||||
err401 = errors.New("Unauthorized")
|
err401 = errors.New("Unauthorized")
|
||||||
err403 = errors.New("Forbidden")
|
|
||||||
xForwardedFor = http.CanonicalHeaderKey("X-Forwarded-For")
|
xForwardedFor = http.CanonicalHeaderKey("X-Forwarded-For")
|
||||||
xRealIP = http.CanonicalHeaderKey("X-Real-IP")
|
xRealIP = http.CanonicalHeaderKey("X-Real-IP")
|
||||||
)
|
)
|
||||||
@@ -105,11 +104,11 @@ func (s *webDavServer) verifyTLSConnection(state tls.ConnectionState) error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// returns true if a response was sent
|
// returns true if we have to handle a HEAD response, for a directory, ourself
|
||||||
func (s *webDavServer) checkRequestMethod(ctx context.Context, r *http.Request, connection *Connection, prefix string) bool {
|
func (s *webDavServer) checkRequestMethod(ctx context.Context, r *http.Request, connection *Connection) bool {
|
||||||
// see RFC4918, section 9.4
|
// see RFC4918, section 9.4
|
||||||
if r.Method == http.MethodGet || r.Method == http.MethodHead {
|
if r.Method == http.MethodGet || r.Method == http.MethodHead {
|
||||||
p := strings.TrimPrefix(path.Clean(r.URL.Path), prefix)
|
p := path.Clean(r.URL.Path)
|
||||||
info, err := connection.Stat(ctx, p)
|
info, err := connection.Stat(ctx, p)
|
||||||
if err == nil && info.IsDir() {
|
if err == nil && info.IsDir() {
|
||||||
if r.Method == http.MethodHead {
|
if r.Method == http.MethodHead {
|
||||||
@@ -154,11 +153,6 @@ func (s *webDavServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if path.Clean(r.URL.Path) == "/" && (r.Method == http.MethodGet || r.Method == "PROPFIND" || r.Method == http.MethodOptions) {
|
|
||||||
http.Redirect(w, r, path.Join("/", user.Username), http.StatusMovedPermanently)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
connectionID, err := s.validateUser(&user, r)
|
connectionID, err := s.validateUser(&user, r)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
updateLoginMetrics(&user, ipAddr, err)
|
updateLoginMetrics(&user, ipAddr, err)
|
||||||
@@ -187,8 +181,7 @@ func (s *webDavServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|||||||
|
|
||||||
dataprovider.UpdateLastLogin(user) //nolint:errcheck
|
dataprovider.UpdateLastLogin(user) //nolint:errcheck
|
||||||
|
|
||||||
prefix := path.Join("/", user.Username)
|
if s.checkRequestMethod(ctx, r, connection) {
|
||||||
if s.checkRequestMethod(ctx, r, connection, prefix) {
|
|
||||||
w.Header().Set("Content-Type", "text/xml; charset=utf-8")
|
w.Header().Set("Content-Type", "text/xml; charset=utf-8")
|
||||||
w.WriteHeader(http.StatusMultiStatus)
|
w.WriteHeader(http.StatusMultiStatus)
|
||||||
w.Write([]byte("")) //nolint:errcheck
|
w.Write([]byte("")) //nolint:errcheck
|
||||||
@@ -196,7 +189,6 @@ func (s *webDavServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
handler := webdav.Handler{
|
handler := webdav.Handler{
|
||||||
Prefix: prefix,
|
|
||||||
FileSystem: connection,
|
FileSystem: connection,
|
||||||
LockSystem: lockSystem,
|
LockSystem: lockSystem,
|
||||||
Logger: writeLog,
|
Logger: writeLog,
|
||||||
@@ -257,12 +249,6 @@ func (s *webDavServer) validateUser(user *dataprovider.User, r *http.Request) (s
|
|||||||
connID := xid.New().String()
|
connID := xid.New().String()
|
||||||
connectionID := fmt.Sprintf("%v_%v", common.ProtocolWebDAV, connID)
|
connectionID := fmt.Sprintf("%v_%v", common.ProtocolWebDAV, connID)
|
||||||
|
|
||||||
uriSegments := strings.Split(path.Clean(r.URL.Path), "/")
|
|
||||||
if len(uriSegments) < 2 || uriSegments[1] != user.Username {
|
|
||||||
logger.Debug(logSender, connectionID, "URI %#v not allowed for user %#v", r.URL.Path, user.Username)
|
|
||||||
return connID, err403
|
|
||||||
}
|
|
||||||
|
|
||||||
if !filepath.IsAbs(user.HomeDir) {
|
if !filepath.IsAbs(user.HomeDir) {
|
||||||
logger.Warn(logSender, connectionID, "user %#v has an invalid home dir: %#v. Home dir must be an absolute path, login not allowed",
|
logger.Warn(logSender, connectionID, "user %#v has an invalid home dir: %#v. Home dir must be an absolute path, login not allowed",
|
||||||
user.Username, user.HomeDir)
|
user.Username, user.HomeDir)
|
||||||
|
|||||||
@@ -4,7 +4,6 @@ import (
|
|||||||
"bytes"
|
"bytes"
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"errors"
|
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
@@ -472,7 +471,7 @@ func TestPropPatch(t *testing.T) {
|
|||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
httpClient := httpclient.GetHTTPClient()
|
httpClient := httpclient.GetHTTPClient()
|
||||||
propatchBody := `<?xml version="1.0" encoding="utf-8" ?><D:propertyupdate xmlns:D="DAV:" xmlns:Z="urn:schemas-microsoft-com:"><D:set><D:prop><Z:Win32CreationTime>Wed, 04 Nov 2020 13:25:51 GMT</Z:Win32CreationTime><Z:Win32LastAccessTime>Sat, 05 Dec 2020 21:16:12 GMT</Z:Win32LastAccessTime><Z:Win32LastModifiedTime>Wed, 04 Nov 2020 13:25:51 GMT</Z:Win32LastModifiedTime><Z:Win32FileAttributes>00000000</Z:Win32FileAttributes></D:prop></D:set></D:propertyupdate>`
|
propatchBody := `<?xml version="1.0" encoding="utf-8" ?><D:propertyupdate xmlns:D="DAV:" xmlns:Z="urn:schemas-microsoft-com:"><D:set><D:prop><Z:Win32CreationTime>Wed, 04 Nov 2020 13:25:51 GMT</Z:Win32CreationTime><Z:Win32LastAccessTime>Sat, 05 Dec 2020 21:16:12 GMT</Z:Win32LastAccessTime><Z:Win32LastModifiedTime>Wed, 04 Nov 2020 13:25:51 GMT</Z:Win32LastModifiedTime><Z:Win32FileAttributes>00000000</Z:Win32FileAttributes></D:prop></D:set></D:propertyupdate>`
|
||||||
req, err := http.NewRequest("PROPPATCH", fmt.Sprintf("http://%v/%v/%v", webDavServerAddr, user.Username, testFileName), bytes.NewReader([]byte(propatchBody)))
|
req, err := http.NewRequest("PROPPATCH", fmt.Sprintf("http://%v/%v", webDavServerAddr, testFileName), bytes.NewReader([]byte(propatchBody)))
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
req.SetBasicAuth(u.Username, u.Password)
|
req.SetBasicAuth(u.Username, u.Password)
|
||||||
resp, err := httpClient.Do(req)
|
resp, err := httpClient.Do(req)
|
||||||
@@ -554,68 +553,6 @@ func TestDefender(t *testing.T) {
|
|||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestLoginInvalidURL(t *testing.T) {
|
|
||||||
u := getTestUser()
|
|
||||||
user, _, err := httpdtest.AddUser(u, http.StatusCreated)
|
|
||||||
assert.NoError(t, err)
|
|
||||||
u1 := getTestUser()
|
|
||||||
u1.Username = user.Username + "1"
|
|
||||||
user1, _, err := httpdtest.AddUser(u1, http.StatusCreated)
|
|
||||||
assert.NoError(t, err)
|
|
||||||
rootPath := fmt.Sprintf("http://%v/%v", webDavServerAddr, user.Username+"1")
|
|
||||||
client := gowebdav.NewClient(rootPath, user.Username, defaultPassword)
|
|
||||||
client.SetTimeout(5 * time.Second)
|
|
||||||
assert.Error(t, checkBasicFunc(client))
|
|
||||||
_, err = httpdtest.RemoveUser(user, http.StatusOK)
|
|
||||||
assert.NoError(t, err)
|
|
||||||
_, err = httpdtest.RemoveUser(user1, http.StatusOK)
|
|
||||||
assert.NoError(t, err)
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestRootRedirect(t *testing.T) {
|
|
||||||
errRedirect := errors.New("redirect error")
|
|
||||||
u := getTestUser()
|
|
||||||
user, _, err := httpdtest.AddUser(u, http.StatusCreated)
|
|
||||||
assert.NoError(t, err)
|
|
||||||
client := getWebDavClient(user)
|
|
||||||
assert.NoError(t, checkBasicFunc(client))
|
|
||||||
rootPath := fmt.Sprintf("http://%v/", webDavServerAddr)
|
|
||||||
httpClient := httpclient.GetHTTPClient()
|
|
||||||
httpClient.CheckRedirect = func(req *http.Request, via []*http.Request) error {
|
|
||||||
return errRedirect
|
|
||||||
}
|
|
||||||
req, err := http.NewRequest(http.MethodOptions, rootPath, nil)
|
|
||||||
assert.NoError(t, err)
|
|
||||||
req.SetBasicAuth(u.Username, u.Password)
|
|
||||||
resp, err := httpClient.Do(req)
|
|
||||||
if assert.Error(t, err) {
|
|
||||||
assert.Contains(t, err.Error(), errRedirect.Error())
|
|
||||||
}
|
|
||||||
err = resp.Body.Close()
|
|
||||||
assert.NoError(t, err)
|
|
||||||
req, err = http.NewRequest(http.MethodGet, rootPath, nil)
|
|
||||||
assert.NoError(t, err)
|
|
||||||
req.SetBasicAuth(u.Username, u.Password)
|
|
||||||
resp, err = httpClient.Do(req)
|
|
||||||
if assert.Error(t, err) {
|
|
||||||
assert.Contains(t, err.Error(), errRedirect.Error())
|
|
||||||
}
|
|
||||||
err = resp.Body.Close()
|
|
||||||
assert.NoError(t, err)
|
|
||||||
req, err = http.NewRequest("PROPFIND", rootPath, nil)
|
|
||||||
assert.NoError(t, err)
|
|
||||||
req.SetBasicAuth(u.Username, u.Password)
|
|
||||||
resp, err = httpClient.Do(req)
|
|
||||||
if assert.Error(t, err) {
|
|
||||||
assert.Contains(t, err.Error(), errRedirect.Error())
|
|
||||||
}
|
|
||||||
err = resp.Body.Close()
|
|
||||||
assert.NoError(t, err)
|
|
||||||
|
|
||||||
_, err = httpdtest.RemoveUser(user, http.StatusOK)
|
|
||||||
assert.NoError(t, err)
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestLoginExternalAuth(t *testing.T) {
|
func TestLoginExternalAuth(t *testing.T) {
|
||||||
if runtime.GOOS == osWindows {
|
if runtime.GOOS == osWindows {
|
||||||
t.Skip("this test is not available on Windows")
|
t.Skip("this test is not available on Windows")
|
||||||
@@ -1275,7 +1212,7 @@ func TestBytesRangeRequests(t *testing.T) {
|
|||||||
client := getWebDavClient(user)
|
client := getWebDavClient(user)
|
||||||
err = uploadFile(testFilePath, testFileName, int64(len(fileContent)), client)
|
err = uploadFile(testFilePath, testFileName, int64(len(fileContent)), client)
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
remotePath := fmt.Sprintf("http://%v/%v/%v", webDavServerAddr, user.Username, testFileName)
|
remotePath := fmt.Sprintf("http://%v/%v", webDavServerAddr, testFileName)
|
||||||
req, err := http.NewRequest(http.MethodGet, remotePath, nil)
|
req, err := http.NewRequest(http.MethodGet, remotePath, nil)
|
||||||
if assert.NoError(t, err) {
|
if assert.NoError(t, err) {
|
||||||
httpClient := httpclient.GetHTTPClient()
|
httpClient := httpclient.GetHTTPClient()
|
||||||
@@ -1318,7 +1255,7 @@ func TestHEAD(t *testing.T) {
|
|||||||
u := getTestUser()
|
u := getTestUser()
|
||||||
user, _, err := httpdtest.AddUser(u, http.StatusCreated)
|
user, _, err := httpdtest.AddUser(u, http.StatusCreated)
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
rootPath := fmt.Sprintf("http://%v/%v", webDavServerAddr, user.Username)
|
rootPath := fmt.Sprintf("http://%v", webDavServerAddr)
|
||||||
httpClient := httpclient.GetHTTPClient()
|
httpClient := httpclient.GetHTTPClient()
|
||||||
req, err := http.NewRequest(http.MethodHead, rootPath, nil)
|
req, err := http.NewRequest(http.MethodHead, rootPath, nil)
|
||||||
if assert.NoError(t, err) {
|
if assert.NoError(t, err) {
|
||||||
@@ -1343,7 +1280,7 @@ func TestGETAsPROPFIND(t *testing.T) {
|
|||||||
u.Permissions[subDir1] = []string{dataprovider.PermUpload, dataprovider.PermCreateDirs}
|
u.Permissions[subDir1] = []string{dataprovider.PermUpload, dataprovider.PermCreateDirs}
|
||||||
user, _, err := httpdtest.AddUser(u, http.StatusCreated)
|
user, _, err := httpdtest.AddUser(u, http.StatusCreated)
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
rootPath := fmt.Sprintf("http://%v/%v", webDavServerAddr, user.Username)
|
rootPath := fmt.Sprintf("http://%v/", webDavServerAddr)
|
||||||
httpClient := httpclient.GetHTTPClient()
|
httpClient := httpclient.GetHTTPClient()
|
||||||
req, err := http.NewRequest(http.MethodGet, rootPath, nil)
|
req, err := http.NewRequest(http.MethodGet, rootPath, nil)
|
||||||
if assert.NoError(t, err) {
|
if assert.NoError(t, err) {
|
||||||
@@ -1357,7 +1294,7 @@ func TestGETAsPROPFIND(t *testing.T) {
|
|||||||
client := getWebDavClient(user)
|
client := getWebDavClient(user)
|
||||||
err = client.MkdirAll(path.Join(subDir1, "sub", "sub1"), os.ModePerm)
|
err = client.MkdirAll(path.Join(subDir1, "sub", "sub1"), os.ModePerm)
|
||||||
assert.NoError(t, err)
|
assert.NoError(t, err)
|
||||||
subPath := fmt.Sprintf("http://%v/%v", webDavServerAddr, path.Join(user.Username, subDir1))
|
subPath := fmt.Sprintf("http://%v/%v", webDavServerAddr, subDir1)
|
||||||
req, err = http.NewRequest(http.MethodGet, subPath, nil)
|
req, err = http.NewRequest(http.MethodGet, subPath, nil)
|
||||||
if assert.NoError(t, err) {
|
if assert.NoError(t, err) {
|
||||||
req.SetBasicAuth(u.Username, u.Password)
|
req.SetBasicAuth(u.Username, u.Password)
|
||||||
@@ -1370,7 +1307,7 @@ func TestGETAsPROPFIND(t *testing.T) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
// we cannot stat the sub at all
|
// we cannot stat the sub at all
|
||||||
subPath1 := fmt.Sprintf("http://%v/%v", webDavServerAddr, path.Join(user.Username, subDir1, "sub"))
|
subPath1 := fmt.Sprintf("http://%v/%v", webDavServerAddr, path.Join(subDir1, "sub"))
|
||||||
req, err = http.NewRequest(http.MethodGet, subPath1, nil)
|
req, err = http.NewRequest(http.MethodGet, subPath1, nil)
|
||||||
if assert.NoError(t, err) {
|
if assert.NoError(t, err) {
|
||||||
req.SetBasicAuth(u.Username, u.Password)
|
req.SetBasicAuth(u.Username, u.Password)
|
||||||
@@ -1622,7 +1559,7 @@ func downloadFile(remoteSourcePath string, localDestPath string, expectedSize in
|
|||||||
}
|
}
|
||||||
|
|
||||||
func getWebDavClient(user dataprovider.User) *gowebdav.Client {
|
func getWebDavClient(user dataprovider.User) *gowebdav.Client {
|
||||||
rootPath := fmt.Sprintf("http://%v/%v", webDavServerAddr, user.Username)
|
rootPath := fmt.Sprintf("http://%v/", webDavServerAddr)
|
||||||
pwd := defaultPassword
|
pwd := defaultPassword
|
||||||
if len(user.Password) > 0 {
|
if len(user.Password) > 0 {
|
||||||
pwd = user.Password
|
pwd = user.Password
|
||||||
|
|||||||
Reference in New Issue
Block a user