external auth: add example HTTP server to use as authentication hook

The server authenticate against an LDAP server.

examples/ldapauthserver/README.md

@@ -0,0 +1,11 @@
+## LDAPAuthServer
+
+This is an example for an HTTP server to use as external authentication HTTP hook. It performs authentication against an LDAP server.
+It is tested against [389ds](https://directory.fedoraproject.org/) and can be used as starting point to authenticate using any LDAP server including Active Directory.
+
+You can configure the server using the [ldapauth.toml](./ldapauth.toml) configuration file.
+You can build this example using the following command:
+
+```
+go build -i -ldflags "-s -w" -o ldapauthserver
+```

examples/ldapauthserver/cmd/root.go

@@ -0,0 +1,137 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/drakkan/sftpgo/ldapauthserver/config"
+	"github.com/drakkan/sftpgo/ldapauthserver/utils"
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+)
+
+const (
+	logSender           = "cmd"
+	configDirFlag       = "config-dir"
+	configDirKey        = "config_dir"
+	configFileFlag      = "config-file"
+	configFileKey       = "config_file"
+	logFilePathFlag     = "log-file-path"
+	logFilePathKey      = "log_file_path"
+	logMaxSizeFlag      = "log-max-size"
+	logMaxSizeKey       = "log_max_size"
+	logMaxBackupFlag    = "log-max-backups"
+	logMaxBackupKey     = "log_max_backups"
+	logMaxAgeFlag       = "log-max-age"
+	logMaxAgeKey        = "log_max_age"
+	logCompressFlag     = "log-compress"
+	logCompressKey      = "log_compress"
+	logVerboseFlag      = "log-verbose"
+	logVerboseKey       = "log_verbose"
+	profilerFlag        = "profiler"
+	profilerKey         = "profiler"
+	defaultConfigDir    = "."
+	defaultConfigName   = config.DefaultConfigName
+	defaultLogFile      = "ldapauth.log"
+	defaultLogMaxSize   = 10
+	defaultLogMaxBackup = 5
+	defaultLogMaxAge    = 28
+	defaultLogCompress  = false
+	defaultLogVerbose   = true
+)
+
+var (
+	configDir     string
+	configFile    string
+	logFilePath   string
+	logMaxSize    int
+	logMaxBackups int
+	logMaxAge     int
+	logCompress   bool
+	logVerbose    bool
+
+	rootCmd = &cobra.Command{
+		Use:   "ldapauthserver",
+		Short: "LDAP Authentication Server for SFTPGo",
+	}
+)
+
+func init() {
+	version := utils.GetAppVersion()
+	rootCmd.Flags().BoolP("version", "v", false, "")
+	rootCmd.Version = version.GetVersionAsString()
+	rootCmd.SetVersionTemplate(`{{printf "LDAP Authentication Server version: "}}{{printf "%s" .Version}}
+`)
+}
+
+// Execute adds all child commands to the root command and sets flags appropriately.
+// This is called by main.main(). It only needs to happen once to the rootCmd.
+func Execute() {
+	if err := rootCmd.Execute(); err != nil {
+		fmt.Println(err)
+		os.Exit(1)
+	}
+}
+
+func addConfigFlags(cmd *cobra.Command) {
+	viper.SetDefault(configDirKey, defaultConfigDir)
+	viper.BindEnv(configDirKey, "LDAPAUTH_CONFIG_DIR")
+	cmd.Flags().StringVarP(&configDir, configDirFlag, "c", viper.GetString(configDirKey),
+		"Location for the config dir. This directory should contain the \"ldapauth\" configuration file or the configured "+
+			"config-file. This flag can be set using LDAPAUTH_CONFIG_DIR env var too.")
+	viper.BindPFlag(configDirKey, cmd.Flags().Lookup(configDirFlag))
+
+	viper.SetDefault(configFileKey, defaultConfigName)
+	viper.BindEnv(configFileKey, "LDAPAUTH_CONFIG_FILE")
+	cmd.Flags().StringVarP(&configFile, configFileFlag, "f", viper.GetString(configFileKey),
+		"Name for the configuration file. It must be the name of a file stored in config-dir not the absolute path to the "+
+			"configuration file. The specified file name must have no extension we automatically load JSON, YAML, TOML, HCL and "+
+			"Java properties. Therefore if you set \"ldapauth\" then \"ldapauth.toml\", \"ldapauth.yaml\" and so on are searched. "+
+			"This flag can be set using LDAPAUTH_CONFIG_FILE env var too.")
+	viper.BindPFlag(configFileKey, cmd.Flags().Lookup(configFileFlag))
+}
+
+func addServeFlags(cmd *cobra.Command) {
+	addConfigFlags(cmd)
+
+	viper.SetDefault(logFilePathKey, defaultLogFile)
+	viper.BindEnv(logFilePathKey, "LDAPAUTH_LOG_FILE_PATH")
+	cmd.Flags().StringVarP(&logFilePath, logFilePathFlag, "l", viper.GetString(logFilePathKey),
+		"Location for the log file. Leave empty to write logs to the standard output. This flag can be set using LDAPAUTH_LOG_FILE_PATH "+
+			"env var too.")
+	viper.BindPFlag(logFilePathKey, cmd.Flags().Lookup(logFilePathFlag))
+
+	viper.SetDefault(logMaxSizeKey, defaultLogMaxSize)
+	viper.BindEnv(logMaxSizeKey, "LDAPAUTH_LOG_MAX_SIZE")
+	cmd.Flags().IntVarP(&logMaxSize, logMaxSizeFlag, "s", viper.GetInt(logMaxSizeKey),
+		"Maximum size in megabytes of the log file before it gets rotated. This flag can be set using LDAPAUTH_LOG_MAX_SIZE "+
+			"env var too. It is unused if log-file-path is empty.")
+	viper.BindPFlag(logMaxSizeKey, cmd.Flags().Lookup(logMaxSizeFlag))
+
+	viper.SetDefault(logMaxBackupKey, defaultLogMaxBackup)
+	viper.BindEnv(logMaxBackupKey, "LDAPAUTH_LOG_MAX_BACKUPS")
+	cmd.Flags().IntVarP(&logMaxBackups, "log-max-backups", "b", viper.GetInt(logMaxBackupKey),
+		"Maximum number of old log files to retain. This flag can be set using LDAPAUTH_LOG_MAX_BACKUPS env var too. "+
+			"It is unused if log-file-path is empty.")
+	viper.BindPFlag(logMaxBackupKey, cmd.Flags().Lookup(logMaxBackupFlag))
+
+	viper.SetDefault(logMaxAgeKey, defaultLogMaxAge)
+	viper.BindEnv(logMaxAgeKey, "LDAPAUTH_LOG_MAX_AGE")
+	cmd.Flags().IntVarP(&logMaxAge, "log-max-age", "a", viper.GetInt(logMaxAgeKey),
+		"Maximum number of days to retain old log files. This flag can be set using LDAPAUTH_LOG_MAX_AGE env var too. "+
+			"It is unused if log-file-path is empty.")
+	viper.BindPFlag(logMaxAgeKey, cmd.Flags().Lookup(logMaxAgeFlag))
+
+	viper.SetDefault(logCompressKey, defaultLogCompress)
+	viper.BindEnv(logCompressKey, "LDAPAUTH_LOG_COMPRESS")
+	cmd.Flags().BoolVarP(&logCompress, logCompressFlag, "z", viper.GetBool(logCompressKey), "Determine if the rotated "+
+		"log files should be compressed using gzip. This flag can be set using LDAPAUTH_LOG_COMPRESS env var too. "+
+		"It is unused if log-file-path is empty.")
+	viper.BindPFlag(logCompressKey, cmd.Flags().Lookup(logCompressFlag))
+
+	viper.SetDefault(logVerboseKey, defaultLogVerbose)
+	viper.BindEnv(logVerboseKey, "LDAPAUTH_LOG_VERBOSE")
+	cmd.Flags().BoolVarP(&logVerbose, logVerboseFlag, "v", viper.GetBool(logVerboseKey), "Enable verbose logs. "+
+		"This flag can be set using LDAPAUTH_LOG_VERBOSE env var too.")
+	viper.BindPFlag(logVerboseKey, cmd.Flags().Lookup(logVerboseFlag))
+}

examples/ldapauthserver/cmd/serve.go

@@ -0,0 +1,49 @@
+package cmd
+
+import (
+	"path/filepath"
+
+	"github.com/drakkan/sftpgo/ldapauthserver/config"
+	"github.com/drakkan/sftpgo/ldapauthserver/httpd"
+	"github.com/drakkan/sftpgo/ldapauthserver/logger"
+	"github.com/drakkan/sftpgo/ldapauthserver/utils"
+	"github.com/rs/zerolog"
+	"github.com/spf13/cobra"
+)
+
+var (
+	serveCmd = &cobra.Command{
+		Use:   "serve",
+		Short: "Start the LDAP Authentication Server",
+		Long: `To start the server with the default values for the command line flags simply use:
+
+ldapauthserver serve
+
+Please take a look at the usage below to customize the startup options`,
+		Run: func(cmd *cobra.Command, args []string) {
+			startServer()
+		},
+	}
+)
+
+func init() {
+	rootCmd.AddCommand(serveCmd)
+	addServeFlags(serveCmd)
+}
+
+func startServer() error {
+	logLevel := zerolog.DebugLevel
+	if !logVerbose {
+		logLevel = zerolog.InfoLevel
+	}
+	if !filepath.IsAbs(logFilePath) && utils.IsFileInputValid(logFilePath) {
+		logFilePath = filepath.Join(configDir, logFilePath)
+	}
+	logger.InitLogger(logFilePath, logMaxSize, logMaxBackups, logMaxAge, logCompress, logLevel)
+	version := utils.GetAppVersion()
+	logger.Info(logSender, "", "starting LDAP Auth Server %v, config dir: %v, config file: %v, log max size: %v log max backups: %v "+
+		"log max age: %v log verbose: %v, log compress: %v", version.GetVersionAsString(), configDir, configFile, logMaxSize,
+		logMaxBackups, logMaxAge, logVerbose, logCompress)
+	config.LoadConfig(configDir, configFile)
+	return httpd.StartHTTPServer(configDir, config.GetHTTPDConfig())
+}

examples/ldapauthserver/config/config.go

@@ -0,0 +1,158 @@
+package config
+
+import (
+	"strings"
+
+	"github.com/drakkan/sftpgo/ldapauthserver/logger"
+	"github.com/spf13/viper"
+)
+
+const (
+	logSender = "config"
+	// DefaultConfigName defines the name for the default config file.
+	// This is the file name without extension, we use viper and so we
+	// support all the config files format supported by viper
+	DefaultConfigName = "ldapauth"
+	// ConfigEnvPrefix defines a prefix that ENVIRONMENT variables will use
+	configEnvPrefix = "ldapauth"
+)
+
+// HTTPDConfig defines configuration for the HTTPD server
+type HTTPDConfig struct {
+	BindAddress        string `mapstructure:"bind_address"`
+	BindPort           int    `mapstructure:"bind_port"`
+	AuthUserFile       string `mapstructure:"auth_user_file"`
+	CertificateFile    string `mapstructure:"certificate_file"`
+	CertificateKeyFile string `mapstructure:"certificate_key_file"`
+}
+
+// LDAPConfig defines the configuration parameters for LDAP connections and searchs
+type LDAPConfig struct {
+	BaseDN             string   `mapstructure:"basedn"`
+	BindURL            string   `mapstructure:"bind_url"`
+	BindUsername       string   `mapstructure:"bind_username"`
+	BindPassword       string   `mapstructure:"bind_password"`
+	SearchFilter       string   `mapstructure:"search_filter"`
+	SearchBaseAttrs    []string `mapstructure:"search_base_attrs"`
+	DefaultUID         int      `mapstructure:"default_uid"`
+	DefaultGID         int      `mapstructure:"default_gid"`
+	ForceDefaultUID    bool     `mapstructure:"force_default_uid"`
+	ForceDefaultGID    bool     `mapstructure:"force_default_gid"`
+	InsecureSkipVerify bool     `mapstructure:"insecure_skip_verify"`
+	CACertificates     []string `mapstructure:"ca_certificates"`
+}
+
+type appConfig struct {
+	HTTPD HTTPDConfig `mapstructure:"httpd"`
+	LDAP  LDAPConfig  `mapstructure:"ldap"`
+}
+
+var conf appConfig
+
+func init() {
+	conf = appConfig{
+		HTTPD: HTTPDConfig{
+			BindAddress:        "",
+			BindPort:           9000,
+			AuthUserFile:       "",
+			CertificateFile:    "",
+			CertificateKeyFile: "",
+		},
+		LDAP: LDAPConfig{
+			BaseDN:       "dc=example,dc=com",
+			BindURL:      "ldap://192.168.1.103:389",
+			BindUsername: "cn=Directory Manager",
+			BindPassword: "YOUR_ADMIN_PASSWORD_HERE",
+			SearchFilter: "(&(objectClass=nsPerson)(uid=%s))",
+			SearchBaseAttrs: []string{
+				"dn",
+				"homeDirectory",
+				"uidNumber",
+				"gidNumber",
+				"nsSshPublicKey",
+			},
+			DefaultUID:         0,
+			DefaultGID:         0,
+			ForceDefaultUID:    true,
+			ForceDefaultGID:    true,
+			InsecureSkipVerify: false,
+			CACertificates:     nil,
+		},
+	}
+	viper.SetEnvPrefix(configEnvPrefix)
+	replacer := strings.NewReplacer(".", "__")
+	viper.SetEnvKeyReplacer(replacer)
+	viper.SetConfigName(DefaultConfigName)
+	viper.AutomaticEnv()
+	viper.AllowEmptyEnv(true)
+}
+
+// GetHomeDirectory returns the configured name for the LDAP field to use as home directory
+func (l *LDAPConfig) GetHomeDirectory() string {
+	if len(l.SearchBaseAttrs) > 1 {
+		return l.SearchBaseAttrs[1]
+	}
+	return "homeDirectory"
+}
+
+// GetUIDNumber returns the configured name for the LDAP field to use as UID
+func (l *LDAPConfig) GetUIDNumber() string {
+	if len(l.SearchBaseAttrs) > 2 {
+		return l.SearchBaseAttrs[2]
+	}
+	return "uidNumber"
+}
+
+// GetGIDNumber returns the configured name for the LDAP field to use as GID
+func (l *LDAPConfig) GetGIDNumber() string {
+	if len(l.SearchBaseAttrs) > 3 {
+		return l.SearchBaseAttrs[3]
+	}
+	return "gidNumber"
+}
+
+// GetPublicKey returns the configured name for the LDAP field to use as public keys
+func (l *LDAPConfig) GetPublicKey() string {
+	if len(l.SearchBaseAttrs) > 4 {
+		return l.SearchBaseAttrs[4]
+	}
+	return "nsSshPublicKey"
+}
+
+// GetHTTPDConfig returns the configuration for the HTTP server
+func GetHTTPDConfig() HTTPDConfig {
+	return conf.HTTPD
+}
+
+// GetLDAPConfig returns LDAP related settings
+func GetLDAPConfig() LDAPConfig {
+	return conf.LDAP
+}
+
+func getRedactedConf() appConfig {
+	c := conf
+	return c
+}
+
+// LoadConfig loads the configuration
+func LoadConfig(configDir, configName string) error {
+	var err error
+	viper.AddConfigPath(configDir)
+	viper.AddConfigPath(".")
+	viper.SetConfigName(configName)
+	if err = viper.ReadInConfig(); err != nil {
+		logger.Warn(logSender, "", "error loading configuration file: %v. Default configuration will be used: %+v",
+			err, getRedactedConf())
+		logger.WarnToConsole("error loading configuration file: %v. Default configuration will be used.", err)
+		return err
+	}
+	err = viper.Unmarshal(&conf)
+	if err != nil {
+		logger.Warn(logSender, "", "error parsing configuration file: %v. Default configuration will be used: %+v",
+			err, getRedactedConf())
+		logger.WarnToConsole("error parsing configuration file: %v. Default configuration will be used.", err)
+		return err
+	}
+	logger.Debug(logSender, "", "config file used: '%#v', config loaded: %+v", viper.ConfigFileUsed(), getRedactedConf())
+	return err
+}

examples/ldapauthserver/go.mod

@@ -0,0 +1,26 @@
+module github.com/drakkan/sftpgo/ldapauthserver
+
+go 1.14
+
+require (
+	github.com/fsnotify/fsnotify v1.4.9 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.4.1 // indirect
+	github.com/go-chi/chi v4.1.1+incompatible
+	github.com/go-chi/render v1.0.1
+	github.com/go-ldap/ldap/v3 v3.1.8
+	github.com/mitchellh/mapstructure v1.2.2 // indirect
+	github.com/nathanaelle/password/v2 v2.0.1
+	github.com/pelletier/go-toml v1.7.0 // indirect
+	github.com/rs/zerolog v1.18.0
+	github.com/spf13/afero v1.2.2 // indirect
+	github.com/spf13/cast v1.3.1 // indirect
+	github.com/spf13/cobra v1.0.0
+	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/spf13/viper v1.6.3
+	golang.org/x/crypto v0.0.0-20200420201142-3c4aac89819a
+	golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f // indirect
+	golang.org/x/text v0.3.2 // indirect
+	gopkg.in/ini.v1 v1.55.0 // indirect
+	gopkg.in/natefinch/lumberjack.v2 v2.0.0
+)

examples/ldapauthserver/go.sum

@@ -0,0 +1,228 @@
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+github.com/BurntSushi/toml v0.3.1 h1:WXkYYl6Yr3qBf1K79EBnL4mak0OimBfB0XUf9Vl28OQ=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
+github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
+github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
+github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
+github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
+github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
+github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
+github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
+github.com/coreos/etcd v3.3.10+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
+github.com/coreos/etcd v3.3.13+incompatible/go.mod h1:uF7uidLiAD3TWHmW31ZFd/JWoc32PjwdhPthX9715RE=
+github.com/coreos/go-semver v0.2.0/go.mod h1:nnelYz7RCh+5ahJtPPxZlU+153eP4D4r3EedlOD2RNk=
+github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
+github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
+github.com/cpuguy83/go-md2man/v2 v2.0.0/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
+github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
+github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
+github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
+github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
+github.com/go-asn1-ber/asn1-ber v1.3.1 h1:gvPdv/Hr++TRFCl0UbPFHC54P9N9jgsRPnmnr419Uck=
+github.com/go-asn1-ber/asn1-ber v1.3.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-asn1-ber/asn1-ber v1.4.1 h1:qP/QDxOtmMoJVgXHCXNzDpA0+wkgYB2x5QoLMVOciyw=
+github.com/go-asn1-ber/asn1-ber v1.4.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-chi/chi v4.1.1+incompatible h1:MmTgB0R8Bt/jccxp+t6S/1VGIKdJw5J74CK/c9tTfA4=
+github.com/go-chi/chi v4.1.1+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ=
+github.com/go-chi/render v1.0.1 h1:4/5tis2cKaNdnv9zFLfXzcquC9HbeZgCnxGnKrltBS8=
+github.com/go-chi/render v1.0.1/go.mod h1:pq4Rr7HbnsdaeHagklXub+p6Wd16Af5l9koip1OvJns=
+github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
+github.com/go-ldap/ldap/v3 v3.1.8 h1:5vU/2jOh9HqprwXp8aF915s9p6Z8wmbSEVF7/gdTFhM=
+github.com/go-ldap/ldap/v3 v3.1.8/go.mod h1:5Zun81jBTabRaI8lzN7E1JjyEl1g6zI6u9pd8luAK4Q=
+github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
+github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
+github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
+github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zVXpSg4=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
+github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
+github.com/gorilla/websocket v1.4.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
+github.com/grpc-ecosystem/go-grpc-middleware v1.0.0/go.mod h1:FiyG127CGDf3tlThmgyCl78X/SZQqEOJBCDaAfeWzPs=
+github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
+github.com/grpc-ecosystem/grpc-gateway v1.9.0/go.mod h1:vNeuVxBJEsws4ogUvrchl83t/GYV9WGTSLVdBhOQFDY=
+github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
+github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
+github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
+github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
+github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
+github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
+github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
+github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
+github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
+github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
+github.com/magiconair/properties v1.8.1 h1:ZC2Vc7/ZFkGmsVC9KvOjumD+G5lXy2RtTKyzRKO2BQ4=
+github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
+github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
+github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/mitchellh/mapstructure v1.1.2 h1:fmNYVwqnSfB9mZU6OS2O6GsXM+wcskZDuKQzvN1EDeE=
+github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/mitchellh/mapstructure v1.2.2 h1:dxe5oCinTXiTIcfgmZecdCzPmAJKd46KsCWc35r0TV4=
+github.com/mitchellh/mapstructure v1.2.2/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
+github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
+github.com/nathanaelle/password/v2 v2.0.1 h1:ItoCTdsuIWzilYmllQPa3DR3YoCXcpfxScWLqr8Ii2s=
+github.com/nathanaelle/password/v2 v2.0.1/go.mod h1:eaoT+ICQEPNtikBRIAatN8ThWwMhVG+r1jTw60BvPJk=
+github.com/oklog/ulid v1.3.1/go.mod h1:CirwcVhetQ6Lv90oh/F+FBtV6XMibvdAFo93nm5qn4U=
+github.com/pelletier/go-toml v1.2.0 h1:T5zMGML61Wp+FlcbWjRDT7yAxhJNAiPPLOFECq181zc=
+github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
+github.com/pelletier/go-toml v1.7.0 h1:7utD74fnzVc/cpcyy8sjrlFr5vYpypUixARcHIMIGuI=
+github.com/pelletier/go-toml v1.7.0/go.mod h1:vwGMzjaWMwyfHwgIBhI2YUM4fB6nL6lVAvS1LBMMhTE=
+github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
+github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso=
+github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
+github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/common v0.0.0-20181113130724-41aa239b4cce/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
+github.com/prometheus/common v0.4.0/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
+github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
+github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
+github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU=
+github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
+github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
+github.com/rs/zerolog v1.18.0 h1:CbAm3kP2Tptby1i9sYy2MGRg0uxIN9cyDb59Ys7W8z8=
+github.com/rs/zerolog v1.18.0/go.mod h1:9nvC1axdVrAHcu/s9taAVfBuIdTZLVQmKQyvrUjF5+I=
+github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
+github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
+github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d h1:zE9ykElWQ6/NYmHa3jpm/yHnI4xSofP+UP6SpjHcSeM=
+github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
+github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s=
+github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
+github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
+github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
+github.com/spf13/afero v1.1.2 h1:m8/z1t7/fwjysjQRYbP0RD+bUIF/8tJwPdEZsI83ACI=
+github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
+github.com/spf13/afero v1.2.2 h1:5jhuqJyZCZf2JRofRvN/nIFgIWNzPa3/Vz8mYylgbWc=
+github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
+github.com/spf13/cast v1.3.0 h1:oget//CVOEoFewqQxwr0Ej5yjygnqGkvggSE/gB35Q8=
+github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cast v1.3.1 h1:nFm6S0SMdyzrzcmThSipiEubIDy8WEXKNZ0UOgiRpng=
+github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
+github.com/spf13/cobra v1.0.0 h1:6m/oheQuQ13N9ks4hubMG6BnvwOeaJrqSPLahSnczz8=
+github.com/spf13/cobra v1.0.0/go.mod h1:/6GTrnGXV9HjY+aR4k0oJ5tcvakLuG6EuKReYlHNrgE=
+github.com/spf13/jwalterweatherman v1.0.0 h1:XHEdyB+EcvlqZamSM4ZOMGlc93t6AcsBEu9Gc1vn7yk=
+github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
+github.com/spf13/jwalterweatherman v1.1.0 h1:ue6voC5bR5F8YxI5S67j9i582FU4Qvo2bmqnqMYADFk=
+github.com/spf13/jwalterweatherman v1.1.0/go.mod h1:aNWZUN0dPAAO/Ljvb5BEdw96iTZ0EXowPYD95IqWIGo=
+github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg=
+github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
+github.com/spf13/viper v1.6.3 h1:pDDu1OyEDTKzpJwdq4TiuLyMsUgRa/BT5cn5O62NoHs=
+github.com/spf13/viper v1.6.3/go.mod h1:jUMtyi0/lB5yZH/FjyGAoH7IMNrIhlBf6pXZmbMDvzw=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/subosito/gotenv v1.2.0 h1:Slr1R9HxAlEKefgq5jn9U+DnETlIUa6HfgEzj0g5d7s=
+github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
+github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
+github.com/ugorji/go v1.1.4/go.mod h1:uQMGLiO92mf5W77hV/PUCpI3pbzQx3CRekS0kk+RGrc=
+github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
+github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
+github.com/zenazn/goji v0.9.0/go.mod h1:7S9M489iMyHBNxwZnk9/EHS098H4/F6TATF2mIxtB1Q=
+go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
+go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
+go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
+go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
+golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2 h1:VklqNMn3ovrHsnt90PveolxSbWFaJdECFbxSq0Mqo2M=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20200311171314-f7b00557c8c4/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200420201142-3c4aac89819a h1:y6sBfNd1b9Wy08a6K1Z1DZc4aXABUN5TKjkYhz7UKmo=
+golang.org/x/crypto v0.0.0-20200420201142-3c4aac89819a/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20181220203305-927f97764cc3/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190522155817-f3200d17e092/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859 h1:R/3boaszxrf1GEUWTVDzSKVwLmSJpwZ1yqXm8j0v2QI=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181107165924-66b7b1311ac8/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a h1:1BGLXjeY4akVXGgbC9HugT3Jv3hCI0z56oJR5vAMgBU=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d h1:+R4KGOnez64A81RvjARKc4UT5/tI9ujCIVX+P5KiHuI=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f h1:gWF768j/LaZugp8dyS4UwsslYCYz9XgFxvlgsn0n9H8=
+golang.org/x/sys v0.0.0-20200420163511-1957bb5e6d1f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190828213141-aed303cbaa74/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.21.0/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=
+gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/ini.v1 v1.51.0 h1:AQvPpx3LzTDM0AjnIRlVFwFFGC+npRopjZxLJj6gdno=
+gopkg.in/ini.v1 v1.51.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/ini.v1 v1.55.0 h1:E8yzL5unfpW3M6fz/eB7Cb5MQAYSZ7GKo4Qth+N2sgQ=
+gopkg.in/ini.v1 v1.55.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
+gopkg.in/natefinch/lumberjack.v2 v2.0.0 h1:1Lc07Kr7qY4U2YPouBjpCLxpiyxIVoxqXgkXLknAOE8=
+gopkg.in/natefinch/lumberjack.v2 v2.0.0/go.mod h1:l0ndWWf7gzL7RNwBG7wST/UCcT4T24xpD6X8LsfU/+k=
+gopkg.in/resty.v1 v1.12.0/go.mod h1:mDo4pnntr5jdWRML875a/NmxYqAlA73dVijT2AXvQQo=
+gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bli9HhUf9+ttbYbLASfIpnQbh74=
+gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

examples/ldapauthserver/httpd/auth.go

@@ -0,0 +1,146 @@
+package httpd
+
+import (
+	"encoding/csv"
+	"errors"
+	"fmt"
+	"net/http"
+	"os"
+	"sync"
+
+	unixcrypt "github.com/nathanaelle/password/v2"
+
+	"github.com/drakkan/sftpgo/ldapauthserver/logger"
+	"github.com/drakkan/sftpgo/ldapauthserver/utils"
+	"golang.org/x/crypto/bcrypt"
+)
+
+const (
+	authenticationHeader = "WWW-Authenticate"
+	authenticationRealm  = "LDAP Auth Server"
+	unauthResponse       = "Unauthorized"
+)
+
+var (
+	md5CryptPwdPrefixes = []string{"$1$", "$apr1$"}
+	bcryptPwdPrefixes   = []string{"$2a$", "$2$", "$2x$", "$2y$", "$2b$"}
+)
+
+type httpAuthProvider interface {
+	getHashedPassword(username string) (string, bool)
+	isEnabled() bool
+}
+
+type basicAuthProvider struct {
+	Path  string
+	Info  os.FileInfo
+	Users map[string]string
+	lock  *sync.RWMutex
+}
+
+func newBasicAuthProvider(authUserFile string) (httpAuthProvider, error) {
+	basicAuthProvider := basicAuthProvider{
+		Path:  authUserFile,
+		Info:  nil,
+		Users: make(map[string]string),
+		lock:  new(sync.RWMutex),
+	}
+	return &basicAuthProvider, basicAuthProvider.loadUsers()
+}
+
+func (p *basicAuthProvider) isEnabled() bool {
+	return len(p.Path) > 0
+}
+
+func (p *basicAuthProvider) isReloadNeeded(info os.FileInfo) bool {
+	p.lock.RLock()
+	defer p.lock.RUnlock()
+	return p.Info == nil || p.Info.ModTime() != info.ModTime() || p.Info.Size() != info.Size()
+}
+
+func (p *basicAuthProvider) loadUsers() error {
+	if !p.isEnabled() {
+		return nil
+	}
+	info, err := os.Stat(p.Path)
+	if err != nil {
+		logger.Debug(logSender, "", "unable to stat basic auth users file: %v", err)
+		return err
+	}
+	if p.isReloadNeeded(info) {
+		r, err := os.Open(p.Path)
+		if err != nil {
+			logger.Debug(logSender, "", "unable to open basic auth users file: %v", err)
+			return err
+		}
+		defer r.Close()
+		reader := csv.NewReader(r)
+		reader.Comma = ':'
+		reader.Comment = '#'
+		reader.TrimLeadingSpace = true
+		records, err := reader.ReadAll()
+		if err != nil {
+			logger.Debug(logSender, "", "unable to parse basic auth users file: %v", err)
+			return err
+		}
+		p.lock.Lock()
+		defer p.lock.Unlock()
+		p.Users = make(map[string]string)
+		for _, record := range records {
+			if len(record) == 2 {
+				p.Users[record[0]] = record[1]
+			}
+		}
+		logger.Debug(logSender, "", "number of users loaded for httpd basic auth: %v", len(p.Users))
+		p.Info = info
+	}
+	return nil
+}
+
+func (p *basicAuthProvider) getHashedPassword(username string) (string, bool) {
+	err := p.loadUsers()
+	if err != nil {
+		return "", false
+	}
+	p.lock.RLock()
+	defer p.lock.RUnlock()
+	pwd, ok := p.Users[username]
+	return pwd, ok
+}
+
+func checkAuth(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if !validateCredentials(r) {
+			w.Header().Set(authenticationHeader, fmt.Sprintf("Basic realm=\"%v\"", authenticationRealm))
+			sendAPIResponse(w, r, errors.New(unauthResponse), "", http.StatusUnauthorized)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
+func validateCredentials(r *http.Request) bool {
+	if !httpAuth.isEnabled() {
+		return true
+	}
+	username, password, ok := r.BasicAuth()
+	if !ok {
+		return false
+	}
+	if hashedPwd, ok := httpAuth.getHashedPassword(username); ok {
+		if utils.IsStringPrefixInSlice(hashedPwd, bcryptPwdPrefixes) {
+			err := bcrypt.CompareHashAndPassword([]byte(hashedPwd), []byte(password))
+			return err == nil
+		}
+		if utils.IsStringPrefixInSlice(hashedPwd, md5CryptPwdPrefixes) {
+			crypter, ok := unixcrypt.MD5.CrypterFound(hashedPwd)
+			if !ok {
+				err := errors.New("cannot found matching MD5 crypter")
+				logger.Debug(logSender, "", "error comparing password with MD5 crypt hash: %v", err)
+				return false
+			}
+			return crypter.Verify([]byte(password))
+		}
+	}
+	return false
+}

examples/ldapauthserver/httpd/httpd.go

@@ -0,0 +1,148 @@
+package httpd
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"path/filepath"
+	"time"
+
+	"github.com/drakkan/sftpgo/ldapauthserver/config"
+	"github.com/drakkan/sftpgo/ldapauthserver/logger"
+	"github.com/drakkan/sftpgo/ldapauthserver/utils"
+	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/middleware"
+	"github.com/go-chi/render"
+)
+
+const (
+	logSender      = "httpd"
+	versionPath    = "/api/v1/version"
+	checkAuthPath  = "/api/v1/check_auth"
+	maxRequestSize = 1 << 18 // 256KB
+)
+
+var (
+	ldapConfig config.LDAPConfig
+	httpAuth   httpAuthProvider
+	certMgr    *certManager
+	rootCAs    *x509.CertPool
+)
+
+// StartHTTPServer initializes and starts the HTTP Server
+func StartHTTPServer(configDir string, httpConfig config.HTTPDConfig) error {
+	var err error
+	authUserFile := getConfigPath(httpConfig.AuthUserFile, configDir)
+	httpAuth, err = newBasicAuthProvider(authUserFile)
+	if err != nil {
+		return err
+	}
+
+	router := chi.NewRouter()
+	router.Use(middleware.RequestID)
+	router.Use(middleware.RealIP)
+	router.Use(logger.NewStructuredLogger(logger.GetLogger()))
+	router.Use(middleware.Recoverer)
+
+	router.NotFound(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		sendAPIResponse(w, r, nil, "Not Found", http.StatusNotFound)
+	}))
+
+	router.MethodNotAllowed(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		sendAPIResponse(w, r, nil, "Method not allowed", http.StatusMethodNotAllowed)
+	}))
+
+	router.Get(versionPath, func(w http.ResponseWriter, r *http.Request) {
+		render.JSON(w, r, utils.GetAppVersion())
+	})
+
+	router.Group(func(router chi.Router) {
+		router.Use(checkAuth)
+
+		router.Post(checkAuthPath, checkSFTPGoUserAuth)
+	})
+
+	ldapConfig = config.GetLDAPConfig()
+	loadCACerts(configDir)
+
+	certificateFile := getConfigPath(httpConfig.CertificateFile, configDir)
+	certificateKeyFile := getConfigPath(httpConfig.CertificateKeyFile, configDir)
+
+	httpServer := &http.Server{
+		Addr:           fmt.Sprintf("%s:%d", httpConfig.BindAddress, httpConfig.BindPort),
+		Handler:        router,
+		ReadTimeout:    70 * time.Second,
+		WriteTimeout:   70 * time.Second,
+		IdleTimeout:    120 * time.Second,
+		MaxHeaderBytes: 1 << 16, // 64KB
+	}
+	if len(certificateFile) > 0 && len(certificateKeyFile) > 0 {
+		certMgr, err = newCertManager(certificateFile, certificateKeyFile)
+		if err != nil {
+			return err
+		}
+		config := &tls.Config{
+			GetCertificate: certMgr.GetCertificateFunc(),
+		}
+		httpServer.TLSConfig = config
+		return httpServer.ListenAndServeTLS("", "")
+	}
+	return httpServer.ListenAndServe()
+}
+
+func sendAPIResponse(w http.ResponseWriter, r *http.Request, err error, message string, code int) {
+	var errorString string
+	if err != nil {
+		errorString = err.Error()
+	}
+	resp := apiResponse{
+		Error:      errorString,
+		Message:    message,
+		HTTPStatus: code,
+	}
+	ctx := context.WithValue(r.Context(), render.StatusCtxKey, code)
+	render.JSON(w, r.WithContext(ctx), resp)
+}
+
+func loadCACerts(configDir string) error {
+	var err error
+	rootCAs, err = x509.SystemCertPool()
+	if err != nil {
+		rootCAs = x509.NewCertPool()
+	}
+	for _, ca := range ldapConfig.CACertificates {
+		caPath := getConfigPath(ca, configDir)
+		certs, err := ioutil.ReadFile(caPath)
+		if err != nil {
+			logger.Warn(logSender, "", "error loading ca cert %#v: %v", caPath, err)
+			return err
+		}
+		if !rootCAs.AppendCertsFromPEM(certs) {
+			logger.Warn(logSender, "", "unable to add ca cert %#v", caPath)
+		} else {
+			logger.Debug(logSender, "", "ca cert %#v added to the trusted certificates", caPath)
+		}
+	}
+
+	return nil
+}
+
+// ReloadTLSCertificate reloads the TLS certificate and key from the configured paths
+func ReloadTLSCertificate() {
+	if certMgr != nil {
+		certMgr.loadCertificate()
+	}
+}
+
+func getConfigPath(name, configDir string) string {
+	if !utils.IsFileInputValid(name) {
+		return ""
+	}
+	if len(name) > 0 && !filepath.IsAbs(name) {
+		return filepath.Join(configDir, name)
+	}
+	return name
+}

examples/ldapauthserver/httpd/ldapauth.go

@@ -0,0 +1,143 @@
+package httpd
+
+import (
+	"bytes"
+	"crypto/tls"
+	"fmt"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"github.com/drakkan/sftpgo/ldapauthserver/logger"
+	"github.com/go-chi/chi/middleware"
+	"github.com/go-chi/render"
+	"github.com/go-ldap/ldap/v3"
+	"golang.org/x/crypto/ssh"
+)
+
+func getSFTPGoUser(entry *ldap.Entry, username string) (SFTPGoUser, error) {
+	var err error
+	var user SFTPGoUser
+	uid := ldapConfig.DefaultUID
+	gid := ldapConfig.DefaultGID
+	status := 1
+
+	if !ldapConfig.ForceDefaultUID {
+		uid, err = strconv.Atoi(entry.GetAttributeValue(ldapConfig.GetUIDNumber()))
+		if err != nil {
+			return user, err
+		}
+	}
+
+	if !ldapConfig.ForceDefaultGID {
+		uid, err = strconv.Atoi(entry.GetAttributeValue(ldapConfig.GetGIDNumber()))
+		if err != nil {
+			return user, err
+		}
+	}
+
+	sftpgoUser := SFTPGoUser{
+		Username: username,
+		HomeDir:  entry.GetAttributeValue(ldapConfig.GetHomeDirectory()),
+		UID:      uid,
+		GID:      gid,
+		Status:   status,
+	}
+	sftpgoUser.Permissions = make(map[string][]string)
+	sftpgoUser.Permissions["/"] = []string{"*"}
+	return sftpgoUser, nil
+}
+
+func checkSFTPGoUserAuth(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	var authReq externalAuthRequest
+	err := render.DecodeJSON(r.Body, &authReq)
+	if err != nil {
+		logger.Warn(logSender, middleware.GetReqID(r.Context()), "error decoding auth request: %v", err)
+		sendAPIResponse(w, r, err, "", http.StatusBadRequest)
+		return
+	}
+	l, err := ldap.DialURL(ldapConfig.BindURL, ldap.DialWithTLSConfig(&tls.Config{
+		InsecureSkipVerify: ldapConfig.InsecureSkipVerify,
+		RootCAs:            rootCAs,
+	}))
+	if err != nil {
+		logger.Warn(logSender, middleware.GetReqID(r.Context()), "error connecting to the LDAP server: %v", err)
+		sendAPIResponse(w, r, err, "Error connecting to the LDAP server", http.StatusInternalServerError)
+		return
+	}
+	defer l.Close()
+
+	err = l.Bind(ldapConfig.BindUsername, ldapConfig.BindPassword)
+	if err != nil {
+		logger.Warn(logSender, middleware.GetReqID(r.Context()), "error binding to the LDAP server: %v", err)
+		sendAPIResponse(w, r, err, "Error binding to the LDAP server", http.StatusInternalServerError)
+		return
+	}
+
+	searchRequest := ldap.NewSearchRequest(
+		ldapConfig.BaseDN,
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+		strings.Replace(ldapConfig.SearchFilter, "%s", authReq.Username, 1),
+		ldapConfig.SearchBaseAttrs,
+		nil,
+	)
+
+	sr, err := l.Search(searchRequest)
+	if err != nil {
+		logger.Warn(logSender, middleware.GetReqID(r.Context()), "error searching LDAP user %#v: %v", authReq.Username, err)
+		sendAPIResponse(w, r, err, "Error searching LDAP user", http.StatusInternalServerError)
+		return
+	}
+
+	if len(sr.Entries) != 1 {
+		logger.Warn(logSender, middleware.GetReqID(r.Context()), "expected one user, found: %v", len(sr.Entries))
+		sendAPIResponse(w, r, nil, fmt.Sprintf("Expected one user, found: %v", len(sr.Entries)), http.StatusNotFound)
+		return
+	}
+
+	if len(authReq.PublicKey) > 0 {
+		userKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(authReq.PublicKey))
+		if err != nil {
+			logger.Warn(logSender, middleware.GetReqID(r.Context()), "invalid public key for user %#v: %v", authReq.Username, err)
+			sendAPIResponse(w, r, err, "Invalid public key", http.StatusBadRequest)
+			return
+		}
+		authOk := false
+		for _, k := range sr.Entries[0].GetAttributeValues(ldapConfig.GetPublicKey()) {
+			key, _, _, _, err := ssh.ParseAuthorizedKey([]byte(k))
+			// we skip an invalid public key stored inside the LDAP server
+			if err != nil {
+				continue
+			}
+			if bytes.Equal(key.Marshal(), userKey.Marshal()) {
+				authOk = true
+				break
+			}
+		}
+		if !authOk {
+			logger.Warn(logSender, middleware.GetReqID(r.Context()), "public key authentication failed for user: %#v", authReq.Username)
+			sendAPIResponse(w, r, nil, "public key authentication failed", http.StatusForbidden)
+			return
+		}
+	} else {
+		// bind to the LDAP server with the user dn and the given password to check the password
+		userdn := sr.Entries[0].DN
+		err = l.Bind(userdn, authReq.Password)
+		if err != nil {
+			logger.Warn(logSender, middleware.GetReqID(r.Context()), "password authentication failed for user: %#v", authReq.Username)
+			sendAPIResponse(w, r, nil, "password authentication failed", http.StatusForbidden)
+			return
+		}
+	}
+
+	user, err := getSFTPGoUser(sr.Entries[0], authReq.Username)
+	if err != nil {
+		logger.Warn(logSender, middleware.GetReqID(r.Context()), "get user from LDAP entry failed for username %#v: %v",
+			authReq.Username, err)
+		sendAPIResponse(w, r, err, "mapping LDAP user failed", http.StatusInternalServerError)
+		return
+	}
+
+	render.JSON(w, r, user)
+}

examples/ldapauthserver/httpd/models.go

@@ -0,0 +1,109 @@
+package httpd
+
+type apiResponse struct {
+	Error      string `json:"error"`
+	Message    string `json:"message"`
+	HTTPStatus int    `json:"status"`
+}
+
+type externalAuthRequest struct {
+	Username  string `json:"username"`
+	Password  string `json:"password"`
+	PublicKey string `json:"public_key"`
+}
+
+// SFTPGoExtensionsFilter defines filters based on file extensions
+type SFTPGoExtensionsFilter struct {
+	Path              string   `json:"path"`
+	AllowedExtensions []string `json:"allowed_extensions,omitempty"`
+	DeniedExtensions  []string `json:"denied_extensions,omitempty"`
+}
+
+// SFTPGoUserFilters defines additional restrictions for an SFTPGo user
+type SFTPGoUserFilters struct {
+	AllowedIP          []string                 `json:"allowed_ip,omitempty"`
+	DeniedIP           []string                 `json:"denied_ip,omitempty"`
+	DeniedLoginMethods []string                 `json:"denied_login_methods,omitempty"`
+	FileExtensions     []SFTPGoExtensionsFilter `json:"file_extensions,omitempty"`
+}
+
+// S3FsConfig defines the configuration for S3 based filesystem
+type S3FsConfig struct {
+	Bucket            string `json:"bucket,omitempty"`
+	KeyPrefix         string `json:"key_prefix,omitempty"`
+	Region            string `json:"region,omitempty"`
+	AccessKey         string `json:"access_key,omitempty"`
+	AccessSecret      string `json:"access_secret,omitempty"`
+	Endpoint          string `json:"endpoint,omitempty"`
+	StorageClass      string `json:"storage_class,omitempty"`
+	UploadPartSize    int64  `json:"upload_part_size,omitempty"`
+	UploadConcurrency int    `json:"upload_concurrency,omitempty"`
+}
+
+// GCSFsConfig defines the configuration for Google Cloud Storage based filesystem
+type GCSFsConfig struct {
+	Bucket               string `json:"bucket,omitempty"`
+	KeyPrefix            string `json:"key_prefix,omitempty"`
+	Credentials          string `json:"credentials,omitempty"`
+	AutomaticCredentials int    `json:"automatic_credentials,omitempty"`
+	StorageClass         string `json:"storage_class,omitempty"`
+}
+
+// SFTPGoFilesystem defines cloud storage filesystem details
+type SFTPGoFilesystem struct {
+	// 0 local filesystem, 1 Amazon S3 compatible, 2 Google Cloud Storage
+	Provider  int         `json:"provider"`
+	S3Config  S3FsConfig  `json:"s3config,omitempty"`
+	GCSConfig GCSFsConfig `json:"gcsconfig,omitempty"`
+}
+
+type virtualFolder struct {
+	VirtualPath string `json:"virtual_path"`
+	MappedPath  string `json:"mapped_path"`
+}
+
+// SFTPGoUser defines an SFTPGo user
+type SFTPGoUser struct {
+	// Database unique identifier
+	ID int64 `json:"id"`
+	// 1 enabled, 0 disabled (login is not allowed)
+	Status int `json:"status"`
+	// Username
+	Username string `json:"username"`
+	// Account expiration date as unix timestamp in milliseconds. An expired account cannot login.
+	// 0 means no expiration
+	ExpirationDate int64    `json:"expiration_date"`
+	Password       string   `json:"password,omitempty"`
+	PublicKeys     []string `json:"public_keys,omitempty"`
+	HomeDir        string   `json:"home_dir"`
+	// Mapping between virtual paths and filesystem paths outside the home directory. Supported for local filesystem only
+	VirtualFolders []virtualFolder `json:"virtual_folders,omitempty"`
+	// If sftpgo runs as root system user then the created files and directories will be assigned to this system UID
+	UID int `json:"uid"`
+	// If sftpgo runs as root system user then the created files and directories will be assigned to this system GID
+	GID int `json:"gid"`
+	// Maximum concurrent sessions. 0 means unlimited
+	MaxSessions int `json:"max_sessions"`
+	// Maximum size allowed as bytes. 0 means unlimited
+	QuotaSize int64 `json:"quota_size"`
+	// Maximum number of files allowed. 0 means unlimited
+	QuotaFiles int `json:"quota_files"`
+	// List of the granted permissions
+	Permissions map[string][]string `json:"permissions"`
+	// Used quota as bytes
+	UsedQuotaSize int64 `json:"used_quota_size"`
+	// Used quota as number of files
+	UsedQuotaFiles int `json:"used_quota_files"`
+	// Last quota update as unix timestamp in milliseconds
+	LastQuotaUpdate int64 `json:"last_quota_update"`
+	// Maximum upload bandwidth as KB/s, 0 means unlimited
+	UploadBandwidth int64 `json:"upload_bandwidth"`
+	// Maximum download bandwidth as KB/s, 0 means unlimited
+	DownloadBandwidth int64 `json:"download_bandwidth"`
+	// Last login as unix timestamp in milliseconds
+	LastLogin int64 `json:"last_login"`
+	// Additional restrictions
+	Filters SFTPGoUserFilters `json:"filters"`
+	// Filesystem configuration details
+	FsConfig SFTPGoFilesystem `json:"filesystem"`
+}

examples/ldapauthserver/httpd/tlsutils.go

@@ -0,0 +1,50 @@
+package httpd
+
+import (
+	"crypto/tls"
+	"sync"
+
+	"github.com/drakkan/sftpgo/ldapauthserver/logger"
+)
+
+type certManager struct {
+	cert     *tls.Certificate
+	certPath string
+	keyPath  string
+	lock     *sync.RWMutex
+}
+
+func (m *certManager) loadCertificate() error {
+	newCert, err := tls.LoadX509KeyPair(m.certPath, m.keyPath)
+	if err != nil {
+		logger.Warn(logSender, "", "unable to load https certificate: %v", err)
+		return err
+	}
+	logger.Debug(logSender, "", "https certificate successfully loaded")
+	m.lock.Lock()
+	defer m.lock.Unlock()
+	m.cert = &newCert
+	return nil
+}
+
+func (m *certManager) GetCertificateFunc() func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
+	return func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+		m.lock.RLock()
+		defer m.lock.RUnlock()
+		return m.cert, nil
+	}
+}
+
+func newCertManager(certificateFile, certificateKeyFile string) (*certManager, error) {
+	manager := &certManager{
+		cert:     nil,
+		certPath: certificateFile,
+		keyPath:  certificateKeyFile,
+		lock:     new(sync.RWMutex),
+	}
+	err := manager.loadCertificate()
+	if err != nil {
+		return nil, err
+	}
+	return manager, nil
+}

examples/ldapauthserver/ldapauth.toml

@@ -0,0 +1,33 @@
+[httpd]
+bind_address = ""
+bind_port = 9000
+# Path to a file used to store usernames and passwords for basic authentication. It can be generated using the Apache htpasswd tool
+auth_user_file = ""
+# If both the certificate and the private key are provided, the server will expect HTTPS connections
+certificate_file = ""
+certificate_key_file = ""
+
+[ldap]
+basedn = "dc=example,dc=com"
+bind_url = "ldap://127.0.0.1:389"
+bind_username = "cn=Directory Manager"
+bind_password = "YOUR_ADMIN_PASSWORD_HERE"
+search_filter = "(&(objectClass=nsPerson)(uid=%s))"
+# you can change the name of the search base attributes to adapt them to your schema but the order must remain the same
+search_base_attrs = [
+    "dn",
+    "homeDirectory",
+    "uidNumber",
+    "gidNumber",
+    "nsSshPublicKey"
+]
+default_uid = 0
+default_gid = 0
+force_default_uid = true
+force_default_gid = true
+# if true, ldaps accepts any certificate presented by the LDAP server and any host name in that certificate.
+# This should be used only for testing
+insecure_skip_verify = false
+# list of root CA to use for ldaps connections
+# If you use a self signed certificate is better to add the root CA to this list than set insecure_skip_verify to true
+ca_certificates = []

examples/ldapauthserver/logger/logger.go

@@ -0,0 +1,127 @@
+package logger
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"runtime"
+	"sync"
+
+	"github.com/rs/zerolog"
+	lumberjack "gopkg.in/natefinch/lumberjack.v2"
+)
+
+const (
+	dateFormat = "2006-01-02T15:04:05.000" // YYYY-MM-DDTHH:MM:SS.ZZZ
+)
+
+var (
+	logger        zerolog.Logger
+	consoleLogger zerolog.Logger
+)
+
+// GetLogger get the configured logger instance
+func GetLogger() *zerolog.Logger {
+	return &logger
+}
+
+// InitLogger initialize loggers
+func InitLogger(logFilePath string, logMaxSize, logMaxBackups, logMaxAge int, logCompress bool, level zerolog.Level) {
+	zerolog.TimeFieldFormat = dateFormat
+	if isLogFilePathValid(logFilePath) {
+		logger = zerolog.New(&lumberjack.Logger{
+			Filename:   logFilePath,
+			MaxSize:    logMaxSize,
+			MaxBackups: logMaxBackups,
+			MaxAge:     logMaxAge,
+			Compress:   logCompress,
+		})
+		EnableConsoleLogger(level)
+	} else {
+		logger = zerolog.New(logSyncWrapper{
+			output: os.Stdout,
+			lock:   new(sync.Mutex)})
+		consoleLogger = zerolog.Nop()
+	}
+	logger.Level(level)
+}
+
+// DisableLogger disable the main logger.
+// ConsoleLogger will not be affected
+func DisableLogger() {
+	logger = zerolog.Nop()
+}
+
+// EnableConsoleLogger enables the console logger
+func EnableConsoleLogger(level zerolog.Level) {
+	consoleOutput := zerolog.ConsoleWriter{
+		Out:        os.Stdout,
+		TimeFormat: dateFormat,
+		NoColor:    runtime.GOOS == "windows",
+	}
+	consoleLogger = zerolog.New(consoleOutput).With().Timestamp().Logger().Level(level)
+}
+
+// Debug logs at debug level for the specified sender
+func Debug(prefix, requestID string, format string, v ...interface{}) {
+	logger.Debug().
+		Timestamp().
+		Str("sender", prefix).
+		Str("request_id", requestID).
+		Msg(fmt.Sprintf(format, v...))
+}
+
+// Info logs at info level for the specified sender
+func Info(prefix, requestID string, format string, v ...interface{}) {
+	logger.Info().
+		Timestamp().
+		Str("sender", prefix).
+		Str("request_id", requestID).
+		Msg(fmt.Sprintf(format, v...))
+}
+
+// Warn logs at warn level for the specified sender
+func Warn(prefix, requestID string, format string, v ...interface{}) {
+	logger.Warn().
+		Timestamp().
+		Str("sender", prefix).
+		Str("request_id", requestID).
+		Msg(fmt.Sprintf(format, v...))
+}
+
+// Error logs at error level for the specified sender
+func Error(prefix, requestID string, format string, v ...interface{}) {
+	logger.Error().
+		Timestamp().
+		Str("sender", prefix).
+		Str("request_id", requestID).
+		Msg(fmt.Sprintf(format, v...))
+}
+
+// DebugToConsole logs at debug level to stdout
+func DebugToConsole(format string, v ...interface{}) {
+	consoleLogger.Debug().Msg(fmt.Sprintf(format, v...))
+}
+
+// InfoToConsole logs at info level to stdout
+func InfoToConsole(format string, v ...interface{}) {
+	consoleLogger.Info().Msg(fmt.Sprintf(format, v...))
+}
+
+// WarnToConsole logs at info level to stdout
+func WarnToConsole(format string, v ...interface{}) {
+	consoleLogger.Warn().Msg(fmt.Sprintf(format, v...))
+}
+
+// ErrorToConsole logs at error level to stdout
+func ErrorToConsole(format string, v ...interface{}) {
+	consoleLogger.Error().Msg(fmt.Sprintf(format, v...))
+}
+
+func isLogFilePathValid(logFilePath string) bool {
+	cleanInput := filepath.Clean(logFilePath)
+	if cleanInput == "." || cleanInput == ".." {
+		return false
+	}
+	return true
+}

examples/ldapauthserver/logger/request_logger.go

@@ -0,0 +1,73 @@
+package logger
+
+import (
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/go-chi/chi/middleware"
+	"github.com/rs/zerolog"
+)
+
+// StructuredLogger defines a simple wrapper around zerolog logger.
+// It implements chi.middleware.LogFormatter interface
+type StructuredLogger struct {
+	Logger *zerolog.Logger
+}
+
+// StructuredLoggerEntry ...
+type StructuredLoggerEntry struct {
+	Logger *zerolog.Logger
+	fields map[string]interface{}
+}
+
+// NewStructuredLogger returns a chi.middleware.RequestLogger using our StructuredLogger.
+// This structured logger is called by the chi.middleware.Logger handler to log each HTTP request
+func NewStructuredLogger(logger *zerolog.Logger) func(next http.Handler) http.Handler {
+	return middleware.RequestLogger(&StructuredLogger{logger})
+}
+
+// NewLogEntry creates a new log entry for an HTTP request
+func (l *StructuredLogger) NewLogEntry(r *http.Request) middleware.LogEntry {
+	scheme := "http"
+	if r.TLS != nil {
+		scheme = "https"
+	}
+
+	fields := map[string]interface{}{
+		"remote_addr": r.RemoteAddr,
+		"proto":       r.Proto,
+		"method":      r.Method,
+		"user_agent":  r.UserAgent(),
+		"uri":         fmt.Sprintf("%s://%s%s", scheme, r.Host, r.RequestURI)}
+
+	reqID := middleware.GetReqID(r.Context())
+	if reqID != "" {
+		fields["request_id"] = reqID
+	}
+
+	return &StructuredLoggerEntry{Logger: l.Logger, fields: fields}
+}
+
+// Write logs a new entry at the end of the HTTP request
+func (l *StructuredLoggerEntry) Write(status, bytes int, header http.Header, elapsed time.Duration, extra interface{}) {
+	l.Logger.Info().
+		Timestamp().
+		Str("sender", "httpd").
+		Fields(l.fields).
+		Int("resp_status", status).
+		Int("resp_size", bytes).
+		Int64("elapsed_ms", elapsed.Nanoseconds()/1000000).
+		Msg("")
+}
+
+// Panic logs panics
+func (l *StructuredLoggerEntry) Panic(v interface{}, stack []byte) {
+	l.Logger.Error().
+		Timestamp().
+		Str("sender", "httpd").
+		Fields(l.fields).
+		Str("stack", string(stack)).
+		Str("panic", fmt.Sprintf("%+v", v)).
+		Msg("")
+}

examples/ldapauthserver/logger/sync_wrapper.go

@@ -0,0 +1,17 @@
+package logger
+
+import (
+	"os"
+	"sync"
+)
+
+type logSyncWrapper struct {
+	lock   *sync.Mutex
+	output *os.File
+}
+
+func (l logSyncWrapper) Write(b []byte) (n int, err error) {
+	l.lock.Lock()
+	defer l.lock.Unlock()
+	return l.output.Write(b)
+}

examples/ldapauthserver/main.go

@@ -0,0 +1,7 @@
+package main
+
+import "github.com/drakkan/sftpgo/ldapauthserver/cmd"
+
+func main() {
+	cmd.Execute()
+}

examples/ldapauthserver/utils/utils.go

@@ -0,0 +1,28 @@
+package utils
+
+import (
+	"path/filepath"
+	"strings"
+)
+
+// IsFileInputValid returns true this is a valid file name.
+// This method must be used before joining a file name, generally provided as
+// user input, with a directory
+func IsFileInputValid(fileInput string) bool {
+	cleanInput := filepath.Clean(fileInput)
+	if cleanInput == "." || cleanInput == ".." {
+		return false
+	}
+	return true
+}
+
+// IsStringPrefixInSlice searches a string prefix in a slice and returns true
+// if a matching prefix is found
+func IsStringPrefixInSlice(obj string, list []string) bool {
+	for _, v := range list {
+		if strings.HasPrefix(obj, v) {
+			return true
+		}
+	}
+	return false
+}

examples/ldapauthserver/utils/version.go

@@ -0,0 +1,41 @@
+package utils
+
+const version = "0.1.0-dev"
+
+var (
+	commit      = ""
+	date        = ""
+	versionInfo VersionInfo
+)
+
+// VersionInfo defines version details
+type VersionInfo struct {
+	Version    string `json:"version"`
+	BuildDate  string `json:"build_date"`
+	CommitHash string `json:"commit_hash"`
+}
+
+func init() {
+	versionInfo = VersionInfo{
+		Version:    version,
+		CommitHash: commit,
+		BuildDate:  date,
+	}
+}
+
+// GetVersionAsString returns the string representation of the VersionInfo struct
+func (v *VersionInfo) GetVersionAsString() string {
+	versionString := v.Version
+	if len(v.CommitHash) > 0 {
+		versionString += "-" + v.CommitHash
+	}
+	if len(v.BuildDate) > 0 {
+		versionString += "-" + v.BuildDate
+	}
+	return versionString
+}
+
+// GetAppVersion returns VersionInfo struct
+func GetAppVersion() VersionInfo {
+	return versionInfo
+}