diff --git a/dataprovider/admin.go b/dataprovider/admin.go index 18fa4190..9e747717 100644 --- a/dataprovider/admin.go +++ b/dataprovider/admin.go @@ -28,6 +28,7 @@ const ( PermAdminCloseConnections = "close_conns" PermAdminViewServerStatus = "view_status" PermAdminManageAdmins = "manage_admins" + PermAdminManageAPIKeys = "manage_apikeys" PermAdminQuotaScans = "quota_scans" PermAdminManageSystem = "manage_system" PermAdminManageDefender = "manage_defender" @@ -38,8 +39,8 @@ var ( emailRegex = regexp.MustCompile("^(?:(?:(?:(?:[a-zA-Z]|\\d|[!#\\$%&'\\*\\+\\-\\/=\\?\\^_`{\\|}~]|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])+(?:\\.([a-zA-Z]|\\d|[!#\\$%&'\\*\\+\\-\\/=\\?\\^_`{\\|}~]|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])+)*)|(?:(?:\\x22)(?:(?:(?:(?:\\x20|\\x09)*(?:\\x0d\\x0a))?(?:\\x20|\\x09)+)?(?:(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x7f]|\\x21|[\\x23-\\x5b]|[\\x5d-\\x7e]|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])|(?:(?:[\\x01-\\x09\\x0b\\x0c\\x0d-\\x7f]|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}]))))*(?:(?:(?:\\x20|\\x09)*(?:\\x0d\\x0a))?(\\x20|\\x09)+)?(?:\\x22))))@(?:(?:(?:[a-zA-Z]|\\d|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])|(?:(?:[a-zA-Z]|\\d|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])(?:[a-zA-Z]|\\d|-|\\.|~|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])*(?:[a-zA-Z]|\\d|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])))\\.)+(?:(?:[a-zA-Z]|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])|(?:(?:[a-zA-Z]|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])(?:[a-zA-Z]|\\d|-|\\.|~|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])*(?:[a-zA-Z]|[\\x{00A0}-\\x{D7FF}\\x{F900}-\\x{FDCF}\\x{FDF0}-\\x{FFEF}])))\\.?$") validAdminPerms = []string{PermAdminAny, PermAdminAddUsers, PermAdminChangeUsers, PermAdminDeleteUsers, PermAdminViewUsers, PermAdminViewConnections, PermAdminCloseConnections, PermAdminViewServerStatus, - PermAdminManageAdmins, PermAdminQuotaScans, PermAdminManageSystem, PermAdminManageDefender, - PermAdminViewDefender} + PermAdminManageAdmins, PermAdminManageAPIKeys, PermAdminQuotaScans, PermAdminManageSystem, + PermAdminManageDefender, PermAdminViewDefender} ) // AdminFilters defines additional restrictions for SFTPGo admins @@ -49,6 +50,8 @@ type AdminFilters struct { // IP/Mask must be in CIDR notation as defined in RFC 4632 and RFC 4291 // for example "192.0.2.0/24" or "2001:db8::/32" AllowList []string `json:"allow_list,omitempty"` + // API key auth allows to impersonate this administrator with an API key + AllowAPIKeyAuth bool `json:"allow_api_key_auth,omitempty"` } // Admin defines a SFTPGo admin @@ -162,10 +165,21 @@ func (a *Admin) CanLoginFromIP(ip string) bool { return false } -func (a *Admin) checkUserAndPass(password, ip string) error { +// CanLogin returns an error if the login is not allowed +func (a *Admin) CanLogin(ip string) error { if a.Status != 1 { return fmt.Errorf("admin %#v is disabled", a.Username) } + if !a.CanLoginFromIP(ip) { + return fmt.Errorf("login from IP %v not allowed", ip) + } + return nil +} + +func (a *Admin) checkUserAndPass(password, ip string) error { + if err := a.CanLogin(ip); err != nil { + return err + } if a.Password == "" || password == "" { return errors.New("credentials cannot be null or empty") } @@ -176,9 +190,6 @@ func (a *Admin) checkUserAndPass(password, ip string) error { if !match { return ErrInvalidCredentials } - if !a.CanLoginFromIP(ip) { - return fmt.Errorf("login from IP %v not allowed", ip) - } return nil } @@ -236,6 +247,7 @@ func (a *Admin) getACopy() Admin { copy(permissions, a.Permissions) filters := AdminFilters{} filters.AllowList = make([]string, len(a.Filters.AllowList)) + filters.AllowAPIKeyAuth = a.Filters.AllowAPIKeyAuth copy(filters.AllowList, a.Filters.AllowList) return Admin{ diff --git a/dataprovider/apikey.go b/dataprovider/apikey.go new file mode 100644 index 00000000..78dd599f --- /dev/null +++ b/dataprovider/apikey.go @@ -0,0 +1,173 @@ +package dataprovider + +import ( + "fmt" + "strings" + "time" + + "github.com/alexedwards/argon2id" + "github.com/lithammer/shortuuid/v3" + "golang.org/x/crypto/bcrypt" + + "github.com/drakkan/sftpgo/v2/util" +) + +// APIKeyScope defines the supported API key scopes +type APIKeyScope int + +// Supported API key scopes +const ( + // the API key will be used for an admin + APIKeyScopeAdmin APIKeyScope = iota + 1 + // the API key will be used for a user + APIKeyScopeUser +) + +// APIKey defines a SFTPGo API key. +// API keys can be used as authentication alternative to short lived tokens +// for REST API +type APIKey struct { + // Database unique identifier + ID int64 `json:"-"` + // Unique key identifier, used for key lookups. + // The generated key is in the format `KeyID.hash(Key)` so we can split + // and lookup by KeyID and then verify if the key matches the recorded hash + KeyID string `json:"id"` + // User friendly key name + Name string `json:"name"` + // we store the hash of the key, this is just like a password + Key string `json:"key,omitempty"` + Scope APIKeyScope `json:"scope"` + CreatedAt int64 `json:"created_at"` + UpdatedAt int64 `json:"updated_at"` + // 0 means never used + LastUseAt int64 `json:"last_use_at,omitempty"` + // 0 means never expire + ExpiresAt int64 `json:"expires_at,omitempty"` + Description string `json:"description,omitempty"` + // Username associated with this API key. + // If empty and the scope is APIKeyScopeUser the key is valid for any user + User string `json:"user,omitempty"` + // Admin username associated with this API key. + // If empty and the scope is APIKeyScopeAdmin the key is valid for any admin + Admin string `json:"admin,omitempty"` + // these fields are for internal use + userID int64 + adminID int64 + plainKey string +} + +func (k *APIKey) getACopy() APIKey { + return APIKey{ + ID: k.ID, + KeyID: k.KeyID, + Name: k.Name, + Key: k.Key, + Scope: k.Scope, + CreatedAt: k.CreatedAt, + UpdatedAt: k.UpdatedAt, + LastUseAt: k.LastUseAt, + ExpiresAt: k.ExpiresAt, + Description: k.Description, + User: k.User, + Admin: k.Admin, + userID: k.userID, + adminID: k.adminID, + } +} + +// HideConfidentialData hides admin confidential data +func (k *APIKey) HideConfidentialData() { + k.Key = "" +} + +func (k *APIKey) checkKey() error { + if k.Key != "" && !util.IsStringPrefixInSlice(k.Key, internalHashPwdPrefixes) { + if config.PasswordHashing.Algo == HashingAlgoBcrypt { + hashed, err := bcrypt.GenerateFromPassword([]byte(k.Key), config.PasswordHashing.BcryptOptions.Cost) + if err != nil { + return err + } + k.Key = string(hashed) + } else { + hashed, err := argon2id.CreateHash(k.Key, argon2Params) + if err != nil { + return err + } + k.Key = hashed + } + } + return nil +} + +func (k *APIKey) generateKey() { + if k.KeyID != "" || k.Key != "" { + return + } + k.KeyID = shortuuid.New() + k.Key = shortuuid.New() + k.plainKey = k.Key +} + +// DisplayKey returns the key to show to the user +func (k *APIKey) DisplayKey() string { + return fmt.Sprintf("%v.%v", k.KeyID, k.plainKey) +} + +func (k *APIKey) validate() error { + if k.Name == "" { + return util.NewValidationError("name is mandatory") + } + if k.Scope != APIKeyScopeAdmin && k.Scope != APIKeyScopeUser { + return util.NewValidationError(fmt.Sprintf("invalid scope: %v", k.Scope)) + } + k.generateKey() + if err := k.checkKey(); err != nil { + return err + } + if k.CreatedAt == 0 { + k.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now()) + } + if k.User != "" && k.Admin != "" { + return util.NewValidationError("an API key can be related to a user or an admin, not both") + } + if k.Scope == APIKeyScopeAdmin { + k.User = "" + } + if k.Scope == APIKeyScopeUser { + k.Admin = "" + } + if k.User != "" { + _, err := provider.userExists(k.User) + if err != nil { + return util.NewValidationError(fmt.Sprintf("unable to check API key user %v: %v", k.User, err)) + } + } + if k.Admin != "" { + _, err := provider.adminExists(k.Admin) + if err != nil { + return util.NewValidationError(fmt.Sprintf("unable to check API key admin %v: %v", k.Admin, err)) + } + } + return nil +} + +// Authenticate tries to authenticate the provided plain key +func (k *APIKey) Authenticate(plainKey string) error { + if k.ExpiresAt > 0 && k.ExpiresAt < util.GetTimeAsMsSinceEpoch(time.Now()) { + return fmt.Errorf("API key %#v is expired, expiration timestamp: %v current timestamp: %v", k.KeyID, + k.ExpiresAt, util.GetTimeAsMsSinceEpoch(time.Now())) + } + if strings.HasPrefix(k.Key, bcryptPwdPrefix) { + if err := bcrypt.CompareHashAndPassword([]byte(k.Key), []byte(plainKey)); err != nil { + return ErrInvalidCredentials + } + } else if strings.HasPrefix(k.Key, argonPwdPrefix) { + match, err := argon2id.ComparePasswordAndHash(plainKey, k.Key) + if err != nil || !match { + return ErrInvalidCredentials + } + } + + return nil +} diff --git a/dataprovider/bolt.go b/dataprovider/bolt.go index cd6dfd5f..a4a7508b 100644 --- a/dataprovider/bolt.go +++ b/dataprovider/bolt.go @@ -19,13 +19,14 @@ import ( ) const ( - boltDatabaseVersion = 10 + boltDatabaseVersion = 11 ) var ( usersBucket = []byte("users") foldersBucket = []byte("folders") adminsBucket = []byte("admins") + apiKeysBucket = []byte("api_keys") dbVersionBucket = []byte("db_version") dbVersionKey = []byte("version") ) @@ -83,6 +84,14 @@ func initializeBoltProvider(basePath string) error { providerLog(logger.LevelWarn, "error creating admins bucket: %v", err) return err } + err = dbHandle.Update(func(tx *bolt.Tx) error { + _, e := tx.CreateBucketIfNotExists(apiKeysBucket) + return e + }) + if err != nil { + providerLog(logger.LevelWarn, "error creating api keys bucket: %v", err) + return err + } err = dbHandle.Update(func(tx *bolt.Tx) error { _, e := tx.CreateBucketIfNotExists(dbVersionBucket) return e @@ -152,6 +161,36 @@ func (p *BoltProvider) validateUserAndPubKey(username string, pubKey []byte) (Us return checkUserAndPubKey(&user, pubKey) } +func (p *BoltProvider) updateAPIKeyLastUse(keyID string) error { + return p.dbHandle.Update(func(tx *bolt.Tx) error { + bucket, err := getAPIKeysBucket(tx) + if err != nil { + return err + } + var u []byte + if u = bucket.Get([]byte(keyID)); u == nil { + return util.NewRecordNotFoundError(fmt.Sprintf("key %#v does not exist, unable to update last use", keyID)) + } + var apiKey APIKey + err = json.Unmarshal(u, &apiKey) + if err != nil { + return err + } + apiKey.LastUseAt = util.GetTimeAsMsSinceEpoch(time.Now()) + buf, err := json.Marshal(apiKey) + if err != nil { + return err + } + err = bucket.Put([]byte(keyID), buf) + if err != nil { + providerLog(logger.LevelWarn, "error updating last use for key %#v: %v", keyID, err) + return err + } + providerLog(logger.LevelDebug, "last use updated for key %#v", keyID) + return nil + }) +} + func (p *BoltProvider) updateLastLogin(username string) error { return p.dbHandle.Update(func(tx *bolt.Tx) error { bucket, err := getUsersBucket(tx) @@ -310,6 +349,10 @@ func (p *BoltProvider) deleteAdmin(admin *Admin) error { return util.NewRecordNotFoundError(fmt.Sprintf("admin %v does not exist", admin.Username)) } + if err := deleteRelatedAPIKey(tx, admin.Username, APIKeyScopeAdmin); err != nil { + return err + } + return bucket.Delete([]byte(admin.Username)) }) } @@ -503,6 +546,11 @@ func (p *BoltProvider) deleteUser(user *User) error { if err != nil { return err } + exists := bucket.Get([]byte(user.Username)) + if exists == nil { + return util.NewRecordNotFoundError(fmt.Sprintf("user %#v does not exist", user.Username)) + } + if len(user.VirtualFolders) > 0 { folderBucket, err := getFoldersBucket(tx) if err != nil { @@ -515,9 +563,9 @@ func (p *BoltProvider) deleteUser(user *User) error { } } } - exists := bucket.Get([]byte(user.Username)) - if exists == nil { - return util.NewRecordNotFoundError(fmt.Sprintf("user %#v does not exist", user.Username)) + + if err := deleteRelatedAPIKey(tx, user.Username, APIKeyScopeUser); err != nil { + return err } return bucket.Delete([]byte(user.Username)) }) @@ -833,6 +881,174 @@ func (p *BoltProvider) getUsedFolderQuota(name string) (int, int64, error) { return folder.UsedQuotaFiles, folder.UsedQuotaSize, err } +func (p *BoltProvider) apiKeyExists(keyID string) (APIKey, error) { + var apiKey APIKey + err := p.dbHandle.View(func(tx *bolt.Tx) error { + bucket, err := getAPIKeysBucket(tx) + if err != nil { + return err + } + + k := bucket.Get([]byte(keyID)) + if k == nil { + return util.NewRecordNotFoundError(fmt.Sprintf("API key %v does not exist", keyID)) + } + return json.Unmarshal(k, &apiKey) + }) + return apiKey, err +} + +func (p *BoltProvider) addAPIKey(apiKey *APIKey) error { + err := apiKey.validate() + if err != nil { + return err + } + return p.dbHandle.Update(func(tx *bolt.Tx) error { + bucket, err := getAPIKeysBucket(tx) + if err != nil { + return err + } + if a := bucket.Get([]byte(apiKey.KeyID)); a != nil { + return fmt.Errorf("API key %v already exists", apiKey.KeyID) + } + id, err := bucket.NextSequence() + if err != nil { + return err + } + apiKey.ID = int64(id) + apiKey.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now()) + buf, err := json.Marshal(apiKey) + if err != nil { + return err + } + return bucket.Put([]byte(apiKey.KeyID), buf) + }) +} + +func (p *BoltProvider) updateAPIKey(apiKey *APIKey) error { + err := apiKey.validate() + if err != nil { + return err + } + return p.dbHandle.Update(func(tx *bolt.Tx) error { + bucket, err := getAPIKeysBucket(tx) + if err != nil { + return err + } + var a []byte + + if a = bucket.Get([]byte(apiKey.KeyID)); a == nil { + return util.NewRecordNotFoundError(fmt.Sprintf("API key %v does not exist", apiKey.KeyID)) + } + var oldAPIKey APIKey + err = json.Unmarshal(a, &oldAPIKey) + if err != nil { + return err + } + + apiKey.ID = oldAPIKey.ID + apiKey.KeyID = oldAPIKey.KeyID + apiKey.Key = oldAPIKey.Key + apiKey.CreatedAt = oldAPIKey.CreatedAt + apiKey.LastUseAt = oldAPIKey.LastUseAt + apiKey.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now()) + buf, err := json.Marshal(apiKey) + if err != nil { + return err + } + return bucket.Put([]byte(apiKey.KeyID), buf) + }) +} + +func (p *BoltProvider) deleteAPIKeys(apiKey *APIKey) error { + return p.dbHandle.Update(func(tx *bolt.Tx) error { + bucket, err := getAPIKeysBucket(tx) + if err != nil { + return err + } + + if bucket.Get([]byte(apiKey.KeyID)) == nil { + return util.NewRecordNotFoundError(fmt.Sprintf("API key %v does not exist", apiKey.KeyID)) + } + + return bucket.Delete([]byte(apiKey.KeyID)) + }) +} + +func (p *BoltProvider) getAPIKeys(limit int, offset int, order string) ([]APIKey, error) { + apiKeys := make([]APIKey, 0, limit) + + err := p.dbHandle.View(func(tx *bolt.Tx) error { + bucket, err := getAPIKeysBucket(tx) + if err != nil { + return err + } + cursor := bucket.Cursor() + itNum := 0 + if order == OrderASC { + for k, v := cursor.First(); k != nil; k, v = cursor.Next() { + itNum++ + if itNum <= offset { + continue + } + var apiKey APIKey + err = json.Unmarshal(v, &apiKey) + if err != nil { + return err + } + apiKey.HideConfidentialData() + apiKeys = append(apiKeys, apiKey) + if len(apiKeys) >= limit { + break + } + } + return nil + } + for k, v := cursor.Last(); k != nil; k, v = cursor.Prev() { + itNum++ + if itNum <= offset { + continue + } + var apiKey APIKey + err = json.Unmarshal(v, &apiKey) + if err != nil { + return err + } + apiKey.HideConfidentialData() + apiKeys = append(apiKeys, apiKey) + if len(apiKeys) >= limit { + break + } + } + return nil + }) + + return apiKeys, err +} + +func (p *BoltProvider) dumpAPIKeys() ([]APIKey, error) { + apiKeys := make([]APIKey, 0, 30) + err := p.dbHandle.View(func(tx *bolt.Tx) error { + bucket, err := getAPIKeysBucket(tx) + if err != nil { + return err + } + + cursor := bucket.Cursor() + for k, v := cursor.First(); k != nil; k, v = cursor.Next() { + var apiKey APIKey + err = json.Unmarshal(v, &apiKey) + if err != nil { + return err + } + apiKeys = append(apiKeys, apiKey) + } + return err + }) + + return apiKeys, err +} + func (p *BoltProvider) close() error { return p.dbHandle.Close() } @@ -860,6 +1076,8 @@ func (p *BoltProvider) migrateDatabase() error { providerLog(logger.LevelError, "%v", err) logger.ErrorToConsole("%v", err) return err + case version == 10: + return updateBoltDatabaseVersion(p.dbHandle, 11) default: if version > boltDatabaseVersion { providerLog(logger.LevelWarn, "database version %v is newer than the supported one: %v", version, @@ -880,7 +1098,12 @@ func (p *BoltProvider) revertDatabase(targetVersion int) error { if dbVersion.Version == targetVersion { return errors.New("current version match target version, nothing to do") } - return errors.New("the current version cannot be reverted") + switch dbVersion.Version { + case 11: + return updateBoltDatabaseVersion(p.dbHandle, 10) + default: + return fmt.Errorf("database version not handled: %v", dbVersion.Version) + } } func joinUserAndFolders(u []byte, foldersBucket *bolt.Bucket) (User, error) { @@ -988,12 +1211,55 @@ func removeUserFromFolderMapping(folder *vfs.VirtualFolder, user *User, bucket * return err } +func deleteRelatedAPIKey(tx *bolt.Tx, username string, scope APIKeyScope) error { + bucket, err := getAPIKeysBucket(tx) + if err != nil { + return err + } + var toRemove []string + cursor := bucket.Cursor() + for k, v := cursor.First(); k != nil; k, v = cursor.Next() { + var apiKey APIKey + err = json.Unmarshal(v, &apiKey) + if err != nil { + return err + } + if scope == APIKeyScopeUser { + if apiKey.User == username { + toRemove = append(toRemove, apiKey.KeyID) + } + } else { + if apiKey.Admin == username { + toRemove = append(toRemove, apiKey.KeyID) + } + } + } + + for _, k := range toRemove { + if err := bucket.Delete([]byte(k)); err != nil { + return err + } + } + + return nil +} + +func getAPIKeysBucket(tx *bolt.Tx) (*bolt.Bucket, error) { + var err error + + bucket := tx.Bucket(apiKeysBucket) + if bucket == nil { + err = errors.New("unable to find api keys bucket, bolt database structure not correcly defined") + } + return bucket, err +} + func getAdminsBucket(tx *bolt.Tx) (*bolt.Bucket, error) { var err error bucket := tx.Bucket(adminsBucket) if bucket == nil { - err = errors.New("unable to find admin bucket, bolt database structure not correcly defined") + err = errors.New("unable to find admins bucket, bolt database structure not correcly defined") } return bucket, err } @@ -1002,7 +1268,7 @@ func getUsersBucket(tx *bolt.Tx) (*bolt.Bucket, error) { var err error bucket := tx.Bucket(usersBucket) if bucket == nil { - err = errors.New("unable to find required buckets, bolt database structure not correcly defined") + err = errors.New("unable to find users bucket, bolt database structure not correcly defined") } return bucket, err } @@ -1011,7 +1277,7 @@ func getFoldersBucket(tx *bolt.Tx) (*bolt.Bucket, error) { var err error bucket := tx.Bucket(foldersBucket) if bucket == nil { - err = fmt.Errorf("unable to find required buckets, bolt database structure not correcly defined") + err = fmt.Errorf("unable to find folders buckets, bolt database structure not correcly defined") } return bucket, err } @@ -1035,7 +1301,7 @@ func getBoltDatabaseVersion(dbHandle *bolt.DB) (schemaVersion, error) { return dbVersion, err } -/*func updateBoltDatabaseVersion(dbHandle *bolt.DB, version int) error { +func updateBoltDatabaseVersion(dbHandle *bolt.DB, version int) error { err := dbHandle.Update(func(tx *bolt.Tx) error { bucket := tx.Bucket(dbVersionBucket) if bucket == nil { @@ -1051,4 +1317,4 @@ func getBoltDatabaseVersion(dbHandle *bolt.DB) (schemaVersion, error) { return bucket.Put(dbVersionKey, buf) }) return err -}*/ +} diff --git a/dataprovider/dataprovider.go b/dataprovider/dataprovider.go index 8644268d..a0765f3a 100644 --- a/dataprovider/dataprovider.go +++ b/dataprovider/dataprovider.go @@ -69,7 +69,7 @@ const ( CockroachDataProviderName = "cockroachdb" // DumpVersion defines the version for the dump. // For restore/load we support the current version and the previous one - DumpVersion = 8 + DumpVersion = 9 argonPwdPrefix = "$argon2id$" bcryptPwdPrefix = "$2a$" @@ -141,6 +141,7 @@ var ( sqlTableFolders = "folders" sqlTableFoldersMapping = "folders_mapping" sqlTableAdmins = "admins" + sqlTableAPIKeys = "api_keys" sqlTableSchemaVersion = "schema_version" argon2Params *argon2id.Params lastLoginMinDelay = 10 * time.Minute @@ -343,6 +344,7 @@ type BackupData struct { Users []User `json:"users"` Folders []vfs.BaseVirtualFolder `json:"folders"` Admins []Admin `json:"admins"` + APIKeys []APIKey `json:"api_keys"` Version int `json:"version"` } @@ -405,6 +407,13 @@ type Provider interface { getAdmins(limit int, offset int, order string) ([]Admin, error) dumpAdmins() ([]Admin, error) validateAdminAndPass(username, password, ip string) (Admin, error) + apiKeyExists(keyID string) (APIKey, error) + addAPIKey(apiKey *APIKey) error + updateAPIKey(apiKey *APIKey) error + deleteAPIKeys(apiKey *APIKey) error + getAPIKeys(limit int, offset int, order string) ([]APIKey, error) + dumpAPIKeys() ([]APIKey, error) + updateAPIKeyLastUse(keyID string) error checkAvailability() error close() error reloadConfig() error @@ -537,9 +546,11 @@ func validateSQLTablesPrefix() error { sqlTableFolders = config.SQLTablesPrefix + sqlTableFolders sqlTableFoldersMapping = config.SQLTablesPrefix + sqlTableFoldersMapping sqlTableAdmins = config.SQLTablesPrefix + sqlTableAdmins + sqlTableAPIKeys = config.SQLTablesPrefix + sqlTableAPIKeys sqlTableSchemaVersion = config.SQLTablesPrefix + sqlTableSchemaVersion - providerLog(logger.LevelDebug, "sql table for users %#v, folders %#v folders mapping %#v admins %#v schema version %#v", - sqlTableUsers, sqlTableFolders, sqlTableFoldersMapping, sqlTableAdmins, sqlTableSchemaVersion) + providerLog(logger.LevelDebug, "sql table for users %#v, folders %#v folders mapping %#v admins %#v "+ + "api keys %#v schema version %#v", sqlTableUsers, sqlTableFolders, sqlTableFoldersMapping, sqlTableAdmins, + sqlTableAPIKeys, sqlTableSchemaVersion) } return nil } @@ -620,7 +631,7 @@ func CheckCachedUserCredentials(user *CachedUser, password, loginMethod, protoco return nil } } - if err := checkLoginConditions(&user.User); err != nil { + if err := user.User.CheckLoginConditions(); err != nil { return err } if password == "" { @@ -791,7 +802,17 @@ func CheckKeyboardInteractiveAuth(username, authHook string, client ssh.Keyboard return doKeyboardInteractiveAuth(&user, authHook, client, ip, protocol) } -// UpdateLastLogin updates the last login fields for the given SFTP user +// UpdateAPIKeyLastUse updates the LastUseAt field for the given API key +func UpdateAPIKeyLastUse(apiKey *APIKey) error { + lastUse := util.GetTimeFromMsecSinceEpoch(apiKey.LastUseAt) + diff := -time.Until(lastUse) + if diff < 0 || diff > lastLoginMinDelay { + return provider.updateAPIKeyLastUse(apiKey.KeyID) + } + return nil +} + +// UpdateLastLogin updates the last login field for the given SFTPGo user func UpdateLastLogin(user *User) error { lastLogin := util.GetTimeFromMsecSinceEpoch(user.LastLogin) diff := -time.Until(lastLogin) @@ -871,6 +892,33 @@ func GetUsedVirtualFolderQuota(name string) (int, int64, error) { return files + delayedFiles, size + delayedSize, err } +// AddAPIKey adds a new API key +func AddAPIKey(apiKey *APIKey) error { + return provider.addAPIKey(apiKey) +} + +// UpdateAPIKey updates an existing API key +func UpdateAPIKey(apiKey *APIKey) error { + return provider.updateAPIKey(apiKey) +} + +// DeleteAPIKey deletes an existing API key +func DeleteAPIKey(keyID string) error { + apiKey, err := provider.apiKeyExists(keyID) + if err != nil { + return err + } + return provider.deleteAPIKeys(&apiKey) +} + +// APIKeyExists returns the API key with the given ID if it exists +func APIKeyExists(keyID string) (APIKey, error) { + if keyID == "" { + return APIKey{}, util.NewRecordNotFoundError(fmt.Sprintf("API key %#v does not exist", keyID)) + } + return provider.apiKeyExists(keyID) +} + // HasAdmin returns true if the first admin has been created // and so SFTPGo is ready to be used func HasAdmin() bool { @@ -900,7 +948,7 @@ func DeleteAdmin(username string) error { return provider.deleteAdmin(&admin) } -// AdminExists returns the given admins if it exists +// AdminExists returns the admin with the given username if it exists func AdminExists(username string) (Admin, error) { return provider.adminExists(username) } @@ -953,6 +1001,11 @@ func ReloadConfig() error { return provider.reloadConfig() } +// GetAPIKeys returns an array of API keys respecting limit and offset +func GetAPIKeys(limit, offset int, order string) ([]APIKey, error) { + return provider.getAPIKeys(limit, offset, order) +} + // GetAdmins returns an array of admins respecting limit and offset func GetAdmins(limit, offset int, order string) ([]Admin, error) { return provider.getAdmins(limit, offset, order) @@ -1020,9 +1073,14 @@ func DumpData() (BackupData, error) { if err != nil { return data, err } + apiKeys, err := provider.dumpAPIKeys() + if err != nil { + return data, err + } data.Users = users data.Folders = folders data.Admins = admins + data.APIKeys = apiKeys data.Version = DumpVersion return data, err } @@ -1535,17 +1593,6 @@ func ValidateUser(user *User) error { return saveGCSCredentials(&user.FsConfig, user) } -func checkLoginConditions(user *User) error { - if user.Status < 1 { - return fmt.Errorf("user %#v is disabled", user.Username) - } - if user.ExpirationDate > 0 && user.ExpirationDate < util.GetTimeAsMsSinceEpoch(time.Now()) { - return fmt.Errorf("user %#v is expired, expiration timestamp: %v current timestamp: %v", user.Username, - user.ExpirationDate, util.GetTimeAsMsSinceEpoch(time.Now())) - } - return nil -} - func isPasswordOK(user *User, password string) (bool, error) { if config.PasswordCaching { found, match := cachedPasswords.Check(user.Username, password) @@ -1556,17 +1603,17 @@ func isPasswordOK(user *User, password string) (bool, error) { match := false var err error - if strings.HasPrefix(user.Password, argonPwdPrefix) { + if strings.HasPrefix(user.Password, bcryptPwdPrefix) { + if err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password)); err != nil { + return match, ErrInvalidCredentials + } + match = true + } else if strings.HasPrefix(user.Password, argonPwdPrefix) { match, err = argon2id.ComparePasswordAndHash(password, user.Password) if err != nil { providerLog(logger.LevelWarn, "error comparing password with argon hash: %v", err) return match, err } - } else if strings.HasPrefix(user.Password, bcryptPwdPrefix) { - if err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password)); err != nil { - return match, ErrInvalidCredentials - } - match = true } else if util.IsStringPrefixInSlice(user.Password, pbkdfPwdPrefixes) { match, err = comparePbkdf2PasswordAndHash(password, user.Password) if err != nil { @@ -1585,7 +1632,7 @@ func isPasswordOK(user *User, password string) (bool, error) { } func checkUserAndTLSCertificate(user *User, protocol string, tlsCert *x509.Certificate) (User, error) { - err := checkLoginConditions(user) + err := user.CheckLoginConditions() if err != nil { return *user, err } @@ -1604,7 +1651,7 @@ func checkUserAndTLSCertificate(user *User, protocol string, tlsCert *x509.Certi } func checkUserAndPass(user *User, password, ip, protocol string) (User, error) { - err := checkLoginConditions(user) + err := user.CheckLoginConditions() if err != nil { return *user, err } @@ -1644,7 +1691,7 @@ func checkUserAndPass(user *User, password, ip, protocol string) (User, error) { } func checkUserAndPubKey(user *User, pubKey []byte) (User, string, error) { - err := checkLoginConditions(user) + err := user.CheckLoginConditions() if err != nil { return *user, "", err } @@ -2053,7 +2100,7 @@ func doKeyboardInteractiveAuth(user *User, authHook string, client ssh.KeyboardI if authResult != 1 { return *user, fmt.Errorf("keyboard interactive auth failed, result: %v", authResult) } - err = checkLoginConditions(user) + err = user.CheckLoginConditions() if err != nil { return *user, err } diff --git a/dataprovider/memory.go b/dataprovider/memory.go index 6bf7a1ae..fef8bdd3 100644 --- a/dataprovider/memory.go +++ b/dataprovider/memory.go @@ -36,6 +36,10 @@ type memoryProviderHandle struct { admins map[string]Admin // slice with ordered admins adminsUsernames []string + // map for API keys, keyID is the key + apiKeys map[string]APIKey + // slice with ordered API keys KeyID + apiKeysIDs []string } // MemoryProvider auth provider for a memory store @@ -60,6 +64,8 @@ func initializeMemoryProvider(basePath string) { vfoldersNames: []string{}, admins: make(map[string]Admin), adminsUsernames: []string{}, + apiKeys: make(map[string]APIKey), + apiKeysIDs: []string{}, configFile: configFile, }, } @@ -137,6 +143,21 @@ func (p *MemoryProvider) validateAdminAndPass(username, password, ip string) (Ad return admin, err } +func (p *MemoryProvider) updateAPIKeyLastUse(keyID string) error { + p.dbHandle.Lock() + defer p.dbHandle.Unlock() + if p.dbHandle.isClosed { + return errMemoryProviderClosed + } + apiKey, err := p.apiKeyExistsInternal(keyID) + if err != nil { + return err + } + apiKey.LastUseAt = util.GetTimeAsMsSinceEpoch(time.Now()) + p.dbHandle.apiKeys[apiKey.KeyID] = apiKey + return nil +} + func (p *MemoryProvider) updateLastLogin(username string) error { p.dbHandle.Lock() defer p.dbHandle.Unlock() @@ -273,6 +294,7 @@ func (p *MemoryProvider) deleteUser(user *User) error { p.dbHandle.usernames = append(p.dbHandle.usernames, username) } sort.Strings(p.dbHandle.usernames) + p.deleteAPIKeysWithUser(user.Username) return nil } @@ -428,6 +450,7 @@ func (p *MemoryProvider) deleteAdmin(admin *Admin) error { p.dbHandle.adminsUsernames = append(p.dbHandle.adminsUsernames, username) } sort.Strings(p.dbHandle.adminsUsernames) + p.deleteAPIKeysWithAdmin(admin.Username) return nil } @@ -770,6 +793,168 @@ func (p *MemoryProvider) deleteFolder(folder *vfs.BaseVirtualFolder) error { return nil } +func (p *MemoryProvider) apiKeyExistsInternal(keyID string) (APIKey, error) { + if val, ok := p.dbHandle.apiKeys[keyID]; ok { + return val.getACopy(), nil + } + return APIKey{}, util.NewRecordNotFoundError(fmt.Sprintf("API key %#v does not exist", keyID)) +} + +func (p *MemoryProvider) apiKeyExists(keyID string) (APIKey, error) { + p.dbHandle.Lock() + defer p.dbHandle.Unlock() + if p.dbHandle.isClosed { + return APIKey{}, errMemoryProviderClosed + } + return p.apiKeyExistsInternal(keyID) +} + +func (p *MemoryProvider) addAPIKey(apiKey *APIKey) error { + err := apiKey.validate() + if err != nil { + return err + } + + p.dbHandle.Lock() + defer p.dbHandle.Unlock() + if p.dbHandle.isClosed { + return errMemoryProviderClosed + } + + _, err = p.apiKeyExistsInternal(apiKey.KeyID) + if err == nil { + return fmt.Errorf("API key %#v already exists", apiKey.KeyID) + } + apiKey.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now()) + p.dbHandle.apiKeys[apiKey.KeyID] = apiKey.getACopy() + p.dbHandle.apiKeysIDs = append(p.dbHandle.apiKeysIDs, apiKey.KeyID) + sort.Strings(p.dbHandle.apiKeysIDs) + return nil +} + +func (p *MemoryProvider) updateAPIKey(apiKey *APIKey) error { + err := apiKey.validate() + if err != nil { + return err + } + + p.dbHandle.Lock() + defer p.dbHandle.Unlock() + if p.dbHandle.isClosed { + return errMemoryProviderClosed + } + k, err := p.apiKeyExistsInternal(apiKey.KeyID) + if err != nil { + return err + } + apiKey.ID = k.ID + apiKey.KeyID = k.KeyID + apiKey.Key = k.Key + apiKey.CreatedAt = k.CreatedAt + apiKey.LastUseAt = k.LastUseAt + apiKey.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now()) + p.dbHandle.apiKeys[apiKey.KeyID] = apiKey.getACopy() + return nil +} + +func (p *MemoryProvider) deleteAPIKeys(apiKey *APIKey) error { + p.dbHandle.Lock() + defer p.dbHandle.Unlock() + if p.dbHandle.isClosed { + return errMemoryProviderClosed + } + _, err := p.apiKeyExistsInternal(apiKey.KeyID) + if err != nil { + return err + } + + delete(p.dbHandle.apiKeys, apiKey.KeyID) + // this could be more efficient + p.dbHandle.apiKeysIDs = make([]string, 0, len(p.dbHandle.apiKeys)) + for keyID := range p.dbHandle.apiKeys { + p.dbHandle.apiKeysIDs = append(p.dbHandle.apiKeysIDs, keyID) + } + sort.Strings(p.dbHandle.apiKeysIDs) + return nil +} + +func (p *MemoryProvider) getAPIKeys(limit int, offset int, order string) ([]APIKey, error) { + apiKeys := make([]APIKey, 0, limit) + + p.dbHandle.Lock() + defer p.dbHandle.Unlock() + + if p.dbHandle.isClosed { + return apiKeys, errMemoryProviderClosed + } + if limit <= 0 { + return apiKeys, nil + } + itNum := 0 + if order == OrderDESC { + for i := len(p.dbHandle.apiKeysIDs) - 1; i >= 0; i-- { + itNum++ + if itNum <= offset { + continue + } + keyID := p.dbHandle.apiKeysIDs[i] + k := p.dbHandle.apiKeys[keyID] + apiKey := k.getACopy() + apiKey.HideConfidentialData() + apiKeys = append(apiKeys, apiKey) + if len(apiKeys) >= limit { + break + } + } + } else { + for _, keyID := range p.dbHandle.apiKeysIDs { + itNum++ + if itNum <= offset { + continue + } + k := p.dbHandle.apiKeys[keyID] + apiKey := k.getACopy() + apiKey.HideConfidentialData() + apiKeys = append(apiKeys, apiKey) + if len(apiKeys) >= limit { + break + } + } + } + + return apiKeys, nil +} + +func (p *MemoryProvider) dumpAPIKeys() ([]APIKey, error) { + p.dbHandle.Lock() + defer p.dbHandle.Unlock() + + apiKeys := make([]APIKey, 0, len(p.dbHandle.apiKeys)) + if p.dbHandle.isClosed { + return apiKeys, errMemoryProviderClosed + } + for _, k := range p.dbHandle.apiKeys { + apiKeys = append(apiKeys, k) + } + return apiKeys, nil +} + +func (p *MemoryProvider) deleteAPIKeysWithUser(username string) { + for k, v := range p.dbHandle.apiKeys { + if v.User == username { + delete(p.dbHandle.apiKeys, k) + } + } +} + +func (p *MemoryProvider) deleteAPIKeysWithAdmin(username string) { + for k, v := range p.dbHandle.apiKeys { + if v.Admin == username { + delete(p.dbHandle.apiKeys, k) + } + } +} + func (p *MemoryProvider) getNextID() int64 { nextID := int64(1) for _, v := range p.dbHandle.users { diff --git a/dataprovider/mysql.go b/dataprovider/mysql.go index 10c2b98f..859ca61e 100644 --- a/dataprovider/mysql.go +++ b/dataprovider/mysql.go @@ -40,6 +40,12 @@ const ( "ALTER TABLE `{{folders_mapping}}` ADD CONSTRAINT `{{prefix}}folders_mapping_folder_id_fk_folders_id` FOREIGN KEY (`folder_id`) REFERENCES `{{folders}}` (`id`) ON DELETE CASCADE;" + "ALTER TABLE `{{folders_mapping}}` ADD CONSTRAINT `{{prefix}}folders_mapping_user_id_fk_users_id` FOREIGN KEY (`user_id`) REFERENCES `{{users}}` (`id`) ON DELETE CASCADE;" + "INSERT INTO {{schema_version}} (version) VALUES (10);" + mysqlV11SQL = "CREATE TABLE `{{api_keys}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, `name` varchar(255) NOT NULL, `key_id` varchar(50) NOT NULL UNIQUE," + + "`api_key` varchar(255) NOT NULL UNIQUE, `scope` integer NOT NULL, `created_at` bigint NOT NULL, `updated_at` bigint NOT NULL, `last_use_at` bigint NOT NULL, " + + "`expires_at` bigint NOT NULL, `description` longtext NULL, `admin_id` integer NULL, `user_id` integer NULL);" + + "ALTER TABLE `{{api_keys}}` ADD CONSTRAINT `{{prefix}}api_keys_admin_id_fk_admins_id` FOREIGN KEY (`admin_id`) REFERENCES `{{admins}}` (`id`) ON DELETE CASCADE;" + + "ALTER TABLE `{{api_keys}}` ADD CONSTRAINT `{{prefix}}api_keys_user_id_fk_users_id` FOREIGN KEY (`user_id`) REFERENCES `{{users}}` (`id`) ON DELETE CASCADE;" + mysqlV11DownSQL = "DROP TABLE `{{api_keys}}` CASCADE;" ) // MySQLProvider auth provider for MySQL/MariaDB database @@ -201,6 +207,34 @@ func (p *MySQLProvider) validateAdminAndPass(username, password, ip string) (Adm return sqlCommonValidateAdminAndPass(username, password, ip, p.dbHandle) } +func (p *MySQLProvider) apiKeyExists(keyID string) (APIKey, error) { + return sqlCommonGetAPIKeyByID(keyID, p.dbHandle) +} + +func (p *MySQLProvider) addAPIKey(apiKey *APIKey) error { + return sqlCommonAddAPIKey(apiKey, p.dbHandle) +} + +func (p *MySQLProvider) updateAPIKey(apiKey *APIKey) error { + return sqlCommonUpdateAPIKey(apiKey, p.dbHandle) +} + +func (p *MySQLProvider) deleteAPIKeys(apiKey *APIKey) error { + return sqlCommonDeleteAPIKey(apiKey, p.dbHandle) +} + +func (p *MySQLProvider) getAPIKeys(limit int, offset int, order string) ([]APIKey, error) { + return sqlCommonGetAPIKeys(limit, offset, order, p.dbHandle) +} + +func (p *MySQLProvider) dumpAPIKeys() ([]APIKey, error) { + return sqlCommonDumpAPIKeys(p.dbHandle) +} + +func (p *MySQLProvider) updateAPIKeyLastUse(keyID string) error { + return sqlCommonUpdateAPIKeyLastUse(keyID, p.dbHandle) +} + func (p *MySQLProvider) close() error { return p.dbHandle.Close() } @@ -240,6 +274,8 @@ func (p *MySQLProvider) migrateDatabase() error { providerLog(logger.LevelError, "%v", err) logger.ErrorToConsole("%v", err) return err + case version == 10: + return updateMySQLDatabaseFromV10(p.dbHandle) default: if version > sqlDatabaseVersion { providerLog(logger.LevelWarn, "database version %v is newer than the supported one: %v", version, @@ -261,5 +297,35 @@ func (p *MySQLProvider) revertDatabase(targetVersion int) error { return errors.New("current version match target version, nothing to do") } - return errors.New("the current version cannot be reverted") + switch dbVersion.Version { + case 11: + return downgradeMySQLDatabaseFromV11(p.dbHandle) + default: + return fmt.Errorf("database version not handled: %v", dbVersion.Version) + } +} + +func updateMySQLDatabaseFromV10(dbHandle *sql.DB) error { + return updateMySQLDatabaseFrom10To11(dbHandle) +} + +func downgradeMySQLDatabaseFromV11(dbHandle *sql.DB) error { + return downgradeMySQLDatabaseFrom11To10(dbHandle) +} + +func updateMySQLDatabaseFrom10To11(dbHandle *sql.DB) error { + logger.InfoToConsole("updating database version: 10 -> 11") + providerLog(logger.LevelInfo, "updating database version: 10 -> 11") + sql := strings.ReplaceAll(mysqlV11SQL, "{{users}}", sqlTableUsers) + sql = strings.ReplaceAll(sql, "{{admins}}", sqlTableAdmins) + sql = strings.ReplaceAll(sql, "{{api_keys}}", sqlTableAPIKeys) + sql = strings.ReplaceAll(sql, "{{prefix}}", config.SQLTablesPrefix) + return sqlCommonExecSQLAndUpdateDBVersion(dbHandle, strings.Split(sql, ";"), 11) +} + +func downgradeMySQLDatabaseFrom11To10(dbHandle *sql.DB) error { + logger.InfoToConsole("downgrading database version: 11 -> 10") + providerLog(logger.LevelInfo, "downgrading database version: 11 -> 10") + sql := strings.ReplaceAll(mysqlV11DownSQL, "{{api_keys}}", sqlTableAPIKeys) + return sqlCommonExecSQLAndUpdateDBVersion(dbHandle, strings.Split(sql, ";"), 10) } diff --git a/dataprovider/pgsql.go b/dataprovider/pgsql.go index cfe5ea8f..859cfa68 100644 --- a/dataprovider/pgsql.go +++ b/dataprovider/pgsql.go @@ -45,6 +45,18 @@ CREATE INDEX "{{prefix}}folders_mapping_folder_id_idx" ON "{{folders_mapping}}" CREATE INDEX "{{prefix}}folders_mapping_user_id_idx" ON "{{folders_mapping}}" ("user_id"); INSERT INTO {{schema_version}} (version) VALUES (10); ` + pgsqlV11SQL = `CREATE TABLE "{{api_keys}}" ("id" serial NOT NULL PRIMARY KEY, "name" varchar(255) NOT NULL, +"key_id" varchar(50) NOT NULL UNIQUE, "api_key" varchar(255) NOT NULL UNIQUE, "scope" integer NOT NULL, +"created_at" bigint NOT NULL, "updated_at" bigint NOT NULL, "last_use_at" bigint NOT NULL,"expires_at" bigint NOT NULL, +"description" text NULL, "admin_id" integer NULL, "user_id" integer NULL); +ALTER TABLE "{{api_keys}}" ADD CONSTRAINT "{{prefix}}api_keys_admin_id_fk_admins_id" FOREIGN KEY ("admin_id") +REFERENCES "{{admins}}" ("id") MATCH SIMPLE ON UPDATE NO ACTION ON DELETE CASCADE; +ALTER TABLE "{{api_keys}}" ADD CONSTRAINT "{{prefix}}api_keys_user_id_fk_users_id" FOREIGN KEY ("user_id") +REFERENCES "{{users}}" ("id") MATCH SIMPLE ON UPDATE NO ACTION ON DELETE CASCADE; +CREATE INDEX "{{prefix}}api_keys_admin_id_idx" ON "{{api_keys}}" ("admin_id"); +CREATE INDEX "{{prefix}}api_keys_user_id_idx" ON "{{api_keys}}" ("user_id"); +` + pgsqlV11DownSQL = `DROP TABLE "{{api_keys}}" CASCADE;` ) // PGSQLProvider auth provider for PostgreSQL database @@ -206,6 +218,34 @@ func (p *PGSQLProvider) validateAdminAndPass(username, password, ip string) (Adm return sqlCommonValidateAdminAndPass(username, password, ip, p.dbHandle) } +func (p *PGSQLProvider) apiKeyExists(keyID string) (APIKey, error) { + return sqlCommonGetAPIKeyByID(keyID, p.dbHandle) +} + +func (p *PGSQLProvider) addAPIKey(apiKey *APIKey) error { + return sqlCommonAddAPIKey(apiKey, p.dbHandle) +} + +func (p *PGSQLProvider) updateAPIKey(apiKey *APIKey) error { + return sqlCommonUpdateAPIKey(apiKey, p.dbHandle) +} + +func (p *PGSQLProvider) deleteAPIKeys(apiKey *APIKey) error { + return sqlCommonDeleteAPIKey(apiKey, p.dbHandle) +} + +func (p *PGSQLProvider) getAPIKeys(limit int, offset int, order string) ([]APIKey, error) { + return sqlCommonGetAPIKeys(limit, offset, order, p.dbHandle) +} + +func (p *PGSQLProvider) dumpAPIKeys() ([]APIKey, error) { + return sqlCommonDumpAPIKeys(p.dbHandle) +} + +func (p *PGSQLProvider) updateAPIKeyLastUse(keyID string) error { + return sqlCommonUpdateAPIKeyLastUse(keyID, p.dbHandle) +} + func (p *PGSQLProvider) close() error { return p.dbHandle.Close() } @@ -251,6 +291,8 @@ func (p *PGSQLProvider) migrateDatabase() error { providerLog(logger.LevelError, "%v", err) logger.ErrorToConsole("%v", err) return err + case version == 10: + return updatePGSQLDatabaseFromV10(p.dbHandle) default: if version > sqlDatabaseVersion { providerLog(logger.LevelWarn, "database version %v is newer than the supported one: %v", version, @@ -272,5 +314,35 @@ func (p *PGSQLProvider) revertDatabase(targetVersion int) error { return errors.New("current version match target version, nothing to do") } - return errors.New("the current version cannot be reverted") + switch dbVersion.Version { + case 11: + return downgradePGSQLDatabaseFromV11(p.dbHandle) + default: + return fmt.Errorf("database version not handled: %v", dbVersion.Version) + } +} + +func updatePGSQLDatabaseFromV10(dbHandle *sql.DB) error { + return updatePGSQLDatabaseFrom10To11(dbHandle) +} + +func downgradePGSQLDatabaseFromV11(dbHandle *sql.DB) error { + return downgradePGSQLDatabaseFrom11To10(dbHandle) +} + +func updatePGSQLDatabaseFrom10To11(dbHandle *sql.DB) error { + logger.InfoToConsole("updating database version: 10 -> 11") + providerLog(logger.LevelInfo, "updating database version: 10 -> 11") + sql := strings.ReplaceAll(pgsqlV11SQL, "{{users}}", sqlTableUsers) + sql = strings.ReplaceAll(sql, "{{admins}}", sqlTableAdmins) + sql = strings.ReplaceAll(sql, "{{api_keys}}", sqlTableAPIKeys) + sql = strings.ReplaceAll(sql, "{{prefix}}", config.SQLTablesPrefix) + return sqlCommonExecSQLAndUpdateDBVersion(dbHandle, []string{sql}, 11) +} + +func downgradePGSQLDatabaseFrom11To10(dbHandle *sql.DB) error { + logger.InfoToConsole("downgrading database version: 11 -> 10") + providerLog(logger.LevelInfo, "downgrading database version: 11 -> 10") + sql := strings.ReplaceAll(pgsqlV11DownSQL, "{{api_keys}}", sqlTableAPIKeys) + return sqlCommonExecSQLAndUpdateDBVersion(dbHandle, []string{sql}, 10) } diff --git a/dataprovider/sqlcommon.go b/dataprovider/sqlcommon.go index c408a05d..dc4593e1 100644 --- a/dataprovider/sqlcommon.go +++ b/dataprovider/sqlcommon.go @@ -19,7 +19,7 @@ import ( ) const ( - sqlDatabaseVersion = 10 + sqlDatabaseVersion = 11 defaultSQLQueryTimeout = 10 * time.Second longSQLQueryTimeout = 60 * time.Second ) @@ -34,6 +34,170 @@ type sqlScanner interface { Scan(dest ...interface{}) error } +func sqlCommonGetAPIKeyByID(keyID string, dbHandle sqlQuerier) (APIKey, error) { + var apiKey APIKey + ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout) + defer cancel() + q := getAPIKeyByIDQuery() + stmt, err := dbHandle.PrepareContext(ctx, q) + if err != nil { + providerLog(logger.LevelWarn, "error preparing database query %#v: %v", q, err) + return apiKey, err + } + defer stmt.Close() + row := stmt.QueryRowContext(ctx, keyID) + + apiKey, err = getAPIKeyFromDbRow(row) + if err != nil { + return apiKey, err + } + return getAPIKeyWithRelatedFields(ctx, apiKey, dbHandle) +} + +func sqlCommonAddAPIKey(apiKey *APIKey, dbHandle *sql.DB) error { + err := apiKey.validate() + if err != nil { + return err + } + + userID, adminID, err := sqlCommonGetAPIKeyRelatedIDs(apiKey) + if err != nil { + return err + } + + ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout) + defer cancel() + q := getAddAPIKeyQuery() + stmt, err := dbHandle.PrepareContext(ctx, q) + if err != nil { + providerLog(logger.LevelWarn, "error preparing database query %#v: %v", q, err) + return err + } + defer stmt.Close() + + _, err = stmt.ExecContext(ctx, apiKey.KeyID, apiKey.Name, apiKey.Key, apiKey.Scope, apiKey.CreatedAt, + util.GetTimeAsMsSinceEpoch(time.Now()), apiKey.LastUseAt, apiKey.ExpiresAt, apiKey.Description, + userID, adminID) + return err +} + +func sqlCommonUpdateAPIKey(apiKey *APIKey, dbHandle *sql.DB) error { + err := apiKey.validate() + if err != nil { + return err + } + + userID, adminID, err := sqlCommonGetAPIKeyRelatedIDs(apiKey) + if err != nil { + return err + } + + ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout) + defer cancel() + q := getUpdateAPIKeyQuery() + stmt, err := dbHandle.PrepareContext(ctx, q) + if err != nil { + providerLog(logger.LevelWarn, "error preparing database query %#v: %v", q, err) + return err + } + defer stmt.Close() + + _, err = stmt.ExecContext(ctx, apiKey.Name, apiKey.Scope, apiKey.ExpiresAt, userID, adminID, + apiKey.Description, util.GetTimeAsMsSinceEpoch(time.Now()), apiKey.KeyID) + return err +} + +func sqlCommonDeleteAPIKey(apiKey *APIKey, dbHandle *sql.DB) error { + ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout) + defer cancel() + q := getDeleteAPIKeyQuery() + stmt, err := dbHandle.PrepareContext(ctx, q) + if err != nil { + providerLog(logger.LevelWarn, "error preparing database query %#v: %v", q, err) + return err + } + defer stmt.Close() + _, err = stmt.ExecContext(ctx, apiKey.KeyID) + return err +} + +func sqlCommonGetAPIKeys(limit, offset int, order string, dbHandle sqlQuerier) ([]APIKey, error) { + apiKeys := make([]APIKey, 0, limit) + + ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout) + defer cancel() + q := getAPIKeysQuery(order) + stmt, err := dbHandle.PrepareContext(ctx, q) + if err != nil { + providerLog(logger.LevelWarn, "error preparing database query %#v: %v", q, err) + return nil, err + } + defer stmt.Close() + + rows, err := stmt.QueryContext(ctx, limit, offset) + if err != nil { + return apiKeys, err + } + defer rows.Close() + + for rows.Next() { + k, err := getAPIKeyFromDbRow(rows) + if err != nil { + return apiKeys, err + } + k.HideConfidentialData() + apiKeys = append(apiKeys, k) + } + err = rows.Err() + if err != nil { + return apiKeys, err + } + apiKeys, err = getRelatedValuesForAPIKeys(ctx, apiKeys, dbHandle, APIKeyScopeAdmin) + if err != nil { + return apiKeys, err + } + + return getRelatedValuesForAPIKeys(ctx, apiKeys, dbHandle, APIKeyScopeUser) +} + +func sqlCommonDumpAPIKeys(dbHandle sqlQuerier) ([]APIKey, error) { + apiKeys := make([]APIKey, 0, 30) + + ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout) + defer cancel() + q := getDumpAPIKeysQuery() + stmt, err := dbHandle.PrepareContext(ctx, q) + if err != nil { + providerLog(logger.LevelWarn, "error preparing database query %#v: %v", q, err) + return nil, err + } + defer stmt.Close() + + rows, err := stmt.QueryContext(ctx) + if err != nil { + return apiKeys, err + } + defer rows.Close() + + for rows.Next() { + k, err := getAPIKeyFromDbRow(rows) + if err != nil { + return apiKeys, err + } + apiKeys = append(apiKeys, k) + } + err = rows.Err() + if err != nil { + return apiKeys, err + } + apiKeys, err = getRelatedValuesForAPIKeys(ctx, apiKeys, dbHandle, APIKeyScopeAdmin) + if err != nil { + return apiKeys, err + } + + return getRelatedValuesForAPIKeys(ctx, apiKeys, dbHandle, APIKeyScopeUser) +} + func sqlCommonGetAdminByUsername(username string, dbHandle sqlQuerier) (Admin, error) { var admin Admin ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout) @@ -303,6 +467,25 @@ func sqlCommonGetUsedQuota(username string, dbHandle *sql.DB) (int, int64, error return usedFiles, usedSize, err } +func sqlCommonUpdateAPIKeyLastUse(keyID string, dbHandle *sql.DB) error { + ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout) + defer cancel() + q := getUpdateAPIKeyLastUseQuery() + stmt, err := dbHandle.PrepareContext(ctx, q) + if err != nil { + providerLog(logger.LevelWarn, "error preparing database query %#v: %v", q, err) + return err + } + defer stmt.Close() + _, err = stmt.ExecContext(ctx, util.GetTimeAsMsSinceEpoch(time.Now()), keyID) + if err == nil { + providerLog(logger.LevelDebug, "last use updated for key %#v", keyID) + } else { + providerLog(logger.LevelWarn, "error updating last use for key %#v: %v", keyID, err) + } + return err +} + func sqlCommonUpdateLastLogin(username string, dbHandle *sql.DB) error { ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout) defer cancel() @@ -486,6 +669,34 @@ func sqlCommonGetUsers(limit int, offset int, order string, dbHandle sqlQuerier) return getUsersWithVirtualFolders(ctx, users, dbHandle) } +func getAPIKeyFromDbRow(row sqlScanner) (APIKey, error) { + var apiKey APIKey + var userID, adminID sql.NullInt64 + var description sql.NullString + + err := row.Scan(&apiKey.KeyID, &apiKey.Name, &apiKey.Key, &apiKey.Scope, &apiKey.CreatedAt, &apiKey.UpdatedAt, + &apiKey.LastUseAt, &apiKey.ExpiresAt, &description, &userID, &adminID) + + if err != nil { + if err == sql.ErrNoRows { + return apiKey, util.NewRecordNotFoundError(err.Error()) + } + return apiKey, err + } + + if userID.Valid { + apiKey.userID = userID.Int64 + } + if adminID.Valid { + apiKey.adminID = adminID.Int64 + } + if description.Valid { + apiKey.Description = description.String + } + + return apiKey, nil +} + func getAdminFromDbRow(row sqlScanner) (Admin, error) { var admin Admin var email, filters, additionalInfo, permissions, description sql.NullString @@ -526,7 +737,7 @@ func getAdminFromDbRow(row sqlScanner) (Admin, error) { admin.Description = description.String } - return admin, err + return admin, nil } func getUserFromDbRow(row sqlScanner) (User, error) { @@ -565,7 +776,7 @@ func getUserFromDbRow(row sqlScanner) (User, error) { perms := make(map[string][]string) err = json.Unmarshal([]byte(permissions.String), &perms) if err != nil { - providerLog(logger.LevelDebug, "unable to deserialize permissions for user %#v: %v", user.Username, err) + providerLog(logger.LevelWarn, "unable to deserialize permissions for user %#v: %v", user.Username, err) return user, fmt.Errorf("unable to deserialize permissions for user %#v: %v", user.Username, err) } user.Permissions = perms @@ -591,7 +802,7 @@ func getUserFromDbRow(row sqlScanner) (User, error) { user.Description = description.String } user.SetEmptySecretsIfNil() - return user, err + return user, nil } func sqlCommonCheckFolderExists(ctx context.Context, name string, dbHandle sqlQuerier) error { @@ -890,11 +1101,12 @@ func getUserWithVirtualFolders(ctx context.Context, user User, dbHandle sqlQueri } func getUsersWithVirtualFolders(ctx context.Context, users []User, dbHandle sqlQuerier) ([]User, error) { + if len(users) == 0 { + return users, nil + } + var err error usersVirtualFolders := make(map[int64][]vfs.VirtualFolder) - if len(users) == 0 { - return users, err - } q := getRelatedFoldersForUsersQuery(users) stmt, err := dbHandle.PrepareContext(ctx, q) if err != nil { @@ -947,11 +1159,12 @@ func getUsersWithVirtualFolders(ctx context.Context, users []User, dbHandle sqlQ } func getVirtualFoldersWithUsers(folders []vfs.BaseVirtualFolder, dbHandle sqlQuerier) ([]vfs.BaseVirtualFolder, error) { + if len(folders) == 0 { + return folders, nil + } + var err error vFoldersUsers := make(map[int64][]string) - if len(folders) == 0 { - return folders, err - } ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout) defer cancel() q := getRelatedUsersForFoldersQuery(folders) @@ -1030,6 +1243,94 @@ func sqlCommonGetFolderUsedQuota(mappedPath string, dbHandle *sql.DB) (int, int6 return usedFiles, usedSize, err } +func getAPIKeyWithRelatedFields(ctx context.Context, apiKey APIKey, dbHandle sqlQuerier) (APIKey, error) { + var apiKeys []APIKey + var err error + + scope := APIKeyScopeAdmin + if apiKey.userID > 0 { + scope = APIKeyScopeUser + } + apiKeys, err = getRelatedValuesForAPIKeys(ctx, []APIKey{apiKey}, dbHandle, scope) + if err != nil { + return apiKey, err + } + if len(apiKeys) > 0 { + apiKey = apiKeys[0] + } + return apiKey, nil +} + +func getRelatedValuesForAPIKeys(ctx context.Context, apiKeys []APIKey, dbHandle sqlQuerier, scope APIKeyScope) ([]APIKey, error) { + if len(apiKeys) == 0 { + return apiKeys, nil + } + values := make(map[int64]string) + var q string + if scope == APIKeyScopeUser { + q = getRelatedUsersForAPIKeysQuery(apiKeys) + } else { + q = getRelatedAdminsForAPIKeysQuery(apiKeys) + } + stmt, err := dbHandle.PrepareContext(ctx, q) + if err != nil { + providerLog(logger.LevelWarn, "error preparing database query %#v: %v", q, err) + return nil, err + } + defer stmt.Close() + rows, err := stmt.QueryContext(ctx) + if err != nil { + return nil, err + } + defer rows.Close() + for rows.Next() { + var valueID int64 + var valueName string + err = rows.Scan(&valueID, &valueName) + if err != nil { + return apiKeys, err + } + values[valueID] = valueName + } + err = rows.Err() + if err != nil { + return apiKeys, err + } + if len(values) == 0 { + return apiKeys, nil + } + for idx := range apiKeys { + ref := &apiKeys[idx] + if scope == APIKeyScopeUser { + ref.User = values[ref.userID] + } else { + ref.Admin = values[ref.adminID] + } + } + return apiKeys, nil +} + +func sqlCommonGetAPIKeyRelatedIDs(apiKey *APIKey) (sql.NullInt64, sql.NullInt64, error) { + var userID, adminID sql.NullInt64 + if apiKey.User != "" { + u, err := provider.userExists(apiKey.User) + if err != nil { + return userID, adminID, util.NewValidationError(fmt.Sprintf("unable to validate user %v", apiKey.User)) + } + userID.Valid = true + userID.Int64 = u.ID + } + if apiKey.Admin != "" { + a, err := provider.adminExists(apiKey.Admin) + if err != nil { + return userID, adminID, util.NewValidationError(fmt.Sprintf("unable to validate admin %v", apiKey.Admin)) + } + adminID.Valid = true + adminID.Int64 = a.ID + } + return userID, adminID, nil +} + func sqlCommonGetDatabaseVersion(dbHandle *sql.DB, showInitWarn bool) (schemaVersion, error) { var result schemaVersion ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout) diff --git a/dataprovider/sqlite.go b/dataprovider/sqlite.go index 535776aa..5bc2974a 100644 --- a/dataprovider/sqlite.go +++ b/dataprovider/sqlite.go @@ -43,6 +43,15 @@ CREATE INDEX "{{prefix}}folders_mapping_folder_id_idx" ON "{{folders_mapping}}" CREATE INDEX "{{prefix}}folders_mapping_user_id_idx" ON "{{folders_mapping}}" ("user_id"); INSERT INTO {{schema_version}} (version) VALUES (10); ` + sqliteV11SQL = `CREATE TABLE "{{api_keys}}" ("id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, "name" varchar(255) NOT NULL, +"key_id" varchar(50) NOT NULL UNIQUE, "api_key" varchar(255) NOT NULL UNIQUE, "scope" integer NOT NULL, "created_at" bigint NOT NULL, +"updated_at" bigint NOT NULL, "last_use_at" bigint NOT NULL, "expires_at" bigint NOT NULL, "description" text NULL, +"admin_id" integer NULL REFERENCES "{{admins}}" ("id") ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, +"user_id" integer NULL REFERENCES "{{users}}" ("id") ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED); +CREATE INDEX "{{prefix}}api_keys_admin_id_idx" ON "api_keys" ("admin_id"); +CREATE INDEX "{{prefix}}api_keys_user_id_idx" ON "api_keys" ("user_id"); +` + sqliteV11DownSQL = `DROP TABLE "{{api_keys}}";` ) // SQLiteProvider auth provider for SQLite database @@ -196,6 +205,34 @@ func (p *SQLiteProvider) validateAdminAndPass(username, password, ip string) (Ad return sqlCommonValidateAdminAndPass(username, password, ip, p.dbHandle) } +func (p *SQLiteProvider) apiKeyExists(keyID string) (APIKey, error) { + return sqlCommonGetAPIKeyByID(keyID, p.dbHandle) +} + +func (p *SQLiteProvider) addAPIKey(apiKey *APIKey) error { + return sqlCommonAddAPIKey(apiKey, p.dbHandle) +} + +func (p *SQLiteProvider) updateAPIKey(apiKey *APIKey) error { + return sqlCommonUpdateAPIKey(apiKey, p.dbHandle) +} + +func (p *SQLiteProvider) deleteAPIKeys(apiKey *APIKey) error { + return sqlCommonDeleteAPIKey(apiKey, p.dbHandle) +} + +func (p *SQLiteProvider) getAPIKeys(limit int, offset int, order string) ([]APIKey, error) { + return sqlCommonGetAPIKeys(limit, offset, order, p.dbHandle) +} + +func (p *SQLiteProvider) dumpAPIKeys() ([]APIKey, error) { + return sqlCommonDumpAPIKeys(p.dbHandle) +} + +func (p *SQLiteProvider) updateAPIKeyLastUse(keyID string) error { + return sqlCommonUpdateAPIKeyLastUse(keyID, p.dbHandle) +} + func (p *SQLiteProvider) close() error { return p.dbHandle.Close() } @@ -235,6 +272,8 @@ func (p *SQLiteProvider) migrateDatabase() error { providerLog(logger.LevelError, "%v", err) logger.ErrorToConsole("%v", err) return err + case version == 10: + return updateSQLiteDatabaseFromV10(p.dbHandle) default: if version > sqlDatabaseVersion { providerLog(logger.LevelWarn, "database version %v is newer than the supported one: %v", version, @@ -256,7 +295,37 @@ func (p *SQLiteProvider) revertDatabase(targetVersion int) error { return errors.New("current version match target version, nothing to do") } - return errors.New("the current version cannot be reverted") + switch dbVersion.Version { + case 11: + return downgradeSQLiteDatabaseFromV11(p.dbHandle) + default: + return fmt.Errorf("database version not handled: %v", dbVersion.Version) + } +} + +func updateSQLiteDatabaseFromV10(dbHandle *sql.DB) error { + return updateSQLiteDatabaseFrom10To11(dbHandle) +} + +func downgradeSQLiteDatabaseFromV11(dbHandle *sql.DB) error { + return downgradeSQLiteDatabaseFrom11To10(dbHandle) +} + +func updateSQLiteDatabaseFrom10To11(dbHandle *sql.DB) error { + logger.InfoToConsole("updating database version: 10 -> 11") + providerLog(logger.LevelInfo, "updating database version: 10 -> 11") + sql := strings.ReplaceAll(sqliteV11SQL, "{{users}}", sqlTableUsers) + sql = strings.ReplaceAll(sql, "{{admins}}", sqlTableAdmins) + sql = strings.ReplaceAll(sql, "{{api_keys}}", sqlTableAPIKeys) + sql = strings.ReplaceAll(sql, "{{prefix}}", config.SQLTablesPrefix) + return sqlCommonExecSQLAndUpdateDBVersion(dbHandle, []string{sql}, 11) +} + +func downgradeSQLiteDatabaseFrom11To10(dbHandle *sql.DB) error { + logger.InfoToConsole("downgrading database version: 11 -> 10") + providerLog(logger.LevelInfo, "downgrading database version: 11 -> 10") + sql := strings.ReplaceAll(sqliteV11DownSQL, "{{api_keys}}", sqlTableAPIKeys) + return sqlCommonExecSQLAndUpdateDBVersion(dbHandle, []string{sql}, 10) } /*func setPragmaFK(dbHandle *sql.DB, value string) error { diff --git a/dataprovider/sqlqueries.go b/dataprovider/sqlqueries.go index c51d2f8a..0edc42f9 100644 --- a/dataprovider/sqlqueries.go +++ b/dataprovider/sqlqueries.go @@ -14,6 +14,7 @@ const ( "additional_info,description" selectFolderFields = "id,path,used_quota_size,used_quota_files,last_quota_update,name,description,filesystem" selectAdminFields = "id,username,password,status,email,permissions,filters,additional_info,description" + selectAPIKeyFields = "key_id,name,api_key,scope,created_at,updated_at,last_use_at,expires_at,description,user_id,admin_id" ) func getSQLPlaceholders() []string { @@ -57,6 +58,78 @@ func getDeleteAdminQuery() string { return fmt.Sprintf(`DELETE FROM %v WHERE username = %v`, sqlTableAdmins, sqlPlaceholders[0]) } +func getAPIKeyByIDQuery() string { + return fmt.Sprintf(`SELECT %v FROM %v WHERE key_id = %v`, selectAPIKeyFields, sqlTableAPIKeys, sqlPlaceholders[0]) +} + +func getAPIKeysQuery(order string) string { + return fmt.Sprintf(`SELECT %v FROM %v ORDER BY key_id %v LIMIT %v OFFSET %v`, selectAPIKeyFields, sqlTableAPIKeys, + order, sqlPlaceholders[0], sqlPlaceholders[1]) +} + +func getDumpAPIKeysQuery() string { + return fmt.Sprintf(`SELECT %v FROM %v`, selectAPIKeyFields, sqlTableAPIKeys) +} + +func getAddAPIKeyQuery() string { + return fmt.Sprintf(`INSERT INTO %v (key_id,name,api_key,scope,created_at,updated_at,last_use_at,expires_at,description,user_id,admin_id) + VALUES (%v,%v,%v,%v,%v,%v,%v,%v,%v,%v,%v)`, sqlTableAPIKeys, sqlPlaceholders[0], sqlPlaceholders[1], + sqlPlaceholders[2], sqlPlaceholders[3], sqlPlaceholders[4], sqlPlaceholders[5], sqlPlaceholders[6], + sqlPlaceholders[7], sqlPlaceholders[8], sqlPlaceholders[9], sqlPlaceholders[10]) +} + +func getUpdateAPIKeyQuery() string { + return fmt.Sprintf(`UPDATE %v SET name=%v,scope=%v,expires_at=%v,user_id=%v,admin_id=%v,description=%v,updated_at=%v + WHERE key_id = %v`, sqlTableAPIKeys, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], + sqlPlaceholders[3], sqlPlaceholders[4], sqlPlaceholders[5], sqlPlaceholders[6], sqlPlaceholders[7]) +} + +func getDeleteAPIKeyQuery() string { + return fmt.Sprintf(`DELETE FROM %v WHERE key_id = %v`, sqlTableAPIKeys, sqlPlaceholders[0]) +} + +func getRelatedUsersForAPIKeysQuery(apiKeys []APIKey) string { + var sb strings.Builder + for _, k := range apiKeys { + if k.userID == 0 { + continue + } + if sb.Len() == 0 { + sb.WriteString("(") + } else { + sb.WriteString(",") + } + sb.WriteString(strconv.FormatInt(k.userID, 10)) + } + if sb.Len() > 0 { + sb.WriteString(")") + } else { + sb.WriteString("(0)") + } + return fmt.Sprintf(`SELECT id,username FROM %v WHERE id IN %v`, sqlTableUsers, sb.String()) +} + +func getRelatedAdminsForAPIKeysQuery(apiKeys []APIKey) string { + var sb strings.Builder + for _, k := range apiKeys { + if k.adminID == 0 { + continue + } + if sb.Len() == 0 { + sb.WriteString("(") + } else { + sb.WriteString(",") + } + sb.WriteString(strconv.FormatInt(k.adminID, 10)) + } + if sb.Len() > 0 { + sb.WriteString(")") + } else { + sb.WriteString("(0)") + } + return fmt.Sprintf(`SELECT id,username FROM %v WHERE id IN %v`, sqlTableAdmins, sb.String()) +} + func getUserByUsernameQuery() string { return fmt.Sprintf(`SELECT %v FROM %v WHERE username = %v`, selectUserFields, sqlTableUsers, sqlPlaceholders[0]) } @@ -87,6 +160,10 @@ func getUpdateLastLoginQuery() string { return fmt.Sprintf(`UPDATE %v SET last_login = %v WHERE username = %v`, sqlTableUsers, sqlPlaceholders[0], sqlPlaceholders[1]) } +func getUpdateAPIKeyLastUseQuery() string { + return fmt.Sprintf(`UPDATE %v SET last_use_at = %v WHERE key_id = %v`, sqlTableAPIKeys, sqlPlaceholders[0], sqlPlaceholders[1]) +} + func getQuotaQuery() string { return fmt.Sprintf(`SELECT used_quota_size,used_quota_files FROM %v WHERE username = %v`, sqlTableUsers, sqlPlaceholders[0]) diff --git a/dataprovider/user.go b/dataprovider/user.go index 3b9a3529..c60d1f42 100644 --- a/dataprovider/user.go +++ b/dataprovider/user.go @@ -179,6 +179,18 @@ func (u *User) isFsEqual(other *User) bool { return true } +// CheckLoginConditions checks if the user is active and not expired +func (u *User) CheckLoginConditions() error { + if u.Status < 1 { + return fmt.Errorf("user %#v is disabled", u.Username) + } + if u.ExpirationDate > 0 && u.ExpirationDate < util.GetTimeAsMsSinceEpoch(time.Now()) { + return fmt.Errorf("user %#v is expired, expiration timestamp: %v current timestamp: %v", u.Username, + u.ExpirationDate, util.GetTimeAsMsSinceEpoch(time.Now())) + } + return nil +} + // hideConfidentialData hides user confidential data func (u *User) hideConfidentialData() { u.Password = "" @@ -997,6 +1009,7 @@ func (u *User) getACopy() User { filters.Hooks.PreLoginDisabled = u.Filters.Hooks.PreLoginDisabled filters.Hooks.CheckPasswordDisabled = u.Filters.Hooks.CheckPasswordDisabled filters.DisableFsChecks = u.Filters.DisableFsChecks + filters.AllowAPIKeyAuth = u.Filters.AllowAPIKeyAuth filters.WebClient = make([]string, len(u.Filters.WebClient)) copy(filters.WebClient, u.Filters.WebClient) diff --git a/docs/defender.md b/docs/defender.md index e1e04913..e44b2c51 100644 --- a/docs/defender.md +++ b/docs/defender.md @@ -18,7 +18,7 @@ And then you can configure: So a host is banned, for `ban_time` minutes, if the sum of the scores has exceeded the defined threshold during the last observation time minutes. -Each event type can be weighted by an integer. If `score_invalid` is 3 and `threshold` is 8, it will be banned after 3 login attempts with an invalid user within the configured `observation_time`. +By defining the scores, each type of event can be weighted. Let's see an example: if `score_invalid` is 3 and `threshold` is 8, a host will be banned after 3 login attempts with an non-existent user within the configured `observation_time`. A banned IP has no score, it makes no sense to accumulate host events in memory for an already banned IP address. diff --git a/docs/rest-api.md b/docs/rest-api.md index 99befec4..b4ece47b 100644 --- a/docs/rest-api.md +++ b/docs/rest-api.md @@ -6,11 +6,6 @@ If quota tracking is enabled in the configuration file, then the used size and n REST API are protected using JSON Web Tokens (JWT) authentication and can be exposed over HTTPS. You can also configure client certificate authentication in addition to JWT. -The default credentials are: - -- username: `admin` -- password: `password` - You can get a JWT token using the `/api/v2/token` endpoint, you need to authenticate using HTTP Basic authentication and the credentials of an active administrator. Here is a sample response: ```json @@ -37,11 +32,35 @@ You can create other administrator and assign them the following permissions: - view and start quota scans - view defender - manage defender +- manage API keys - manage system - manage admins You can also restrict administrator access based on the source IP address. If you are running SFTPGo behind a reverse proxy you need to allow both the proxy IP address and the real client IP. +As alternative authentication method you can use API keys. API keys are mainly designed for machine-to-machine communications and a static API key is intrinsically less secure than a short lived JWT token. +To generate API keys you first need to get a JWT token and then you can use the `/api/v2/apikeys` endpoint to manage your API keys. + +The API keys allow the impersonation of users and administrators, using the API keys you inherit the permissions of the associated user/admin. + +The user/admin association can be: + +- static, a user/admin is explictly associated to the API key +- dynamic, the API key has no user/admin associated, you need to add ".username" at the end of the key to specificy the user/admin to impersonate. For example if your API key is `6ajKLwswLccVBGpZGv596G.ySAXc8vtp9hMiwAuaLtzof` and you want to impersonate the admin with username `myadmin` you have to use `6ajKLwswLccVBGpZGv596G.ySAXc8vtp9hMiwAuaLtzof.myadmin` as API key. + +The API key scope defines if the API key can impersonate users or admins. +Before you can impersonate a user/admin you have to set `allow_api_key_auth` at user/admin level. Each user/admin can always revoke this permission. + +The generated API key is returned in the response body when you create a new API key object. It is not stored as plain text, you need to save it after the initial creation, there is no way to display the API key as plain text after the initial creation. + +API keys are not allowed for the following REST APIs: + +- manage API keys itself. You cannot create, update, delete, enumerate API keys if you are logged in with an API key +- change password or public keys for the associated user +- update the impersonated admin + +Please keep in mind that using an API key not associated with any administrator it is still possible to create a new administrator, with full permissions, and then impersonate it: be careful if you share unassociated API keys with third parties and with the `manage adminis` permission granted, they will basically allow full access, the only restriction is that the impersonated admin cannot be modified. + The OpenAPI 3 schema for the exposed API can be found inside the source tree: [openapi.yaml](../httpd/schema/openapi.yaml "OpenAPI 3 specs"). If you want to render the schema without importing it manually, you can explore it on [Stoplight](https://sftpgo.stoplight.io/docs/sftpgo/openapi.yaml). You can generate your own REST client in your preferred programming language, or even bash scripts, using an OpenAPI generator such as [swagger-codegen](https://github.com/swagger-api/swagger-codegen) or [OpenAPI Generator](https://openapi-generator.tech/). diff --git a/go.mod b/go.mod index 3d52f22a..e71660b9 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( github.com/Azure/azure-storage-blob-go v0.14.0 github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962 github.com/alexedwards/argon2id v0.0.0-20210511081203-7d35d68092b8 - github.com/aws/aws-sdk-go v1.40.16 + github.com/aws/aws-sdk-go v1.40.23 github.com/cockroachdb/cockroach-go/v2 v2.1.1 github.com/eikenb/pipeat v0.0.0-20210603033007-44fc3ffce52b github.com/fatih/color v1.12.0 // indirect @@ -26,12 +26,13 @@ require ( github.com/hashicorp/go-retryablehttp v0.7.0 github.com/hashicorp/yamux v0.0.0-20210707203944-259a57b3608c // indirect github.com/jlaffaye/ftp v0.0.0-20201112195030-9aae4d151126 - github.com/klauspost/compress v1.13.3 + github.com/klauspost/compress v1.13.4 github.com/klauspost/cpuid/v2 v2.0.9 // indirect github.com/kr/text v0.2.0 // indirect github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect github.com/lestrrat-go/jwx v1.2.5 github.com/lib/pq v1.10.2 + github.com/lithammer/shortuuid/v3 v3.0.7 github.com/mattn/go-isatty v0.0.13 // indirect github.com/mattn/go-sqlite3 v1.14.8 github.com/miekg/dns v1.1.43 // indirect @@ -59,12 +60,12 @@ require ( go.uber.org/automaxprocs v1.4.0 gocloud.dev v0.23.0 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a - golang.org/x/net v0.0.0-20210614182718-04defd469f4e - golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c + golang.org/x/net v0.0.0-20210813160813-60bc85c4be6d + golang.org/x/sys v0.0.0-20210817134402-fefb4affbef3 golang.org/x/time v0.0.0-20210723032227-1f47c861a9ac - google.golang.org/api v0.52.0 - google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67 // indirect - google.golang.org/grpc v1.39.1 + google.golang.org/api v0.54.0 + google.golang.org/genproto v0.0.0-20210816143620-e15ff196659d // indirect + google.golang.org/grpc v1.40.0 google.golang.org/protobuf v1.27.1 gopkg.in/natefinch/lumberjack.v2 v2.0.0 ) @@ -74,5 +75,5 @@ replace ( github.com/fclairamb/ftpserverlib => github.com/drakkan/ftpserverlib v0.0.0-20210805132427-425f32d9dc15 github.com/jlaffaye/ftp => github.com/drakkan/ftp v0.0.0-20201114075148-9b9adce499a9 golang.org/x/crypto => github.com/drakkan/crypto v0.0.0-20210515063737-edf1d3b63536 - golang.org/x/net => github.com/drakkan/net v0.0.0-20210725074420-30b60d4a1e60 + golang.org/x/net => github.com/drakkan/net v0.0.0-20210817141953-39359926843c ) diff --git a/go.sum b/go.sum index d52d8ea8..49021ca9 100644 --- a/go.sum +++ b/go.sum @@ -23,8 +23,9 @@ cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0= cloud.google.com/go v0.83.0/go.mod h1:Z7MJUsANfY0pYPdw0lbnivPx4/vhy/e2FEkSkF7vAVY= cloud.google.com/go v0.84.0/go.mod h1:RazrYuxIK6Kb7YrzzhPoLmCVzl7Sup4NrbKPg8KHSUM= -cloud.google.com/go v0.88.0 h1:MZ2cf9Elnv1wqccq8ooKO2MqHQLc+ChCp/+QWObCpxg= -cloud.google.com/go v0.88.0/go.mod h1:dnKwfYbP9hQhefiUvpbcAyoGSHUrOxR20JVElLiUvEY= +cloud.google.com/go v0.87.0/go.mod h1:TpDYlFy7vuLzZMMZ+B6iRiELaY7z/gJPaqbMx6mlWcY= +cloud.google.com/go v0.90.0 h1:MjvSkUq8RuAb+2JLDi5VQmmExRJPUQ3JLCWpRB6fmdw= +cloud.google.com/go v0.90.0/go.mod h1:kRX0mNRHe0e2rC6oNakvwQqzyDmg57xJ+SZU1eT2aDQ= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE= cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc= @@ -96,6 +97,7 @@ github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962 h1:KeNholpO2xKjgaa github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962/go.mod h1:kC29dT1vFpj7py2OvG1khBdQpo3kInWP+6QipLbdngo= github.com/GoogleCloudPlatform/cloudsql-proxy v1.22.0/go.mod h1:mAm5O/zik2RFmcpigNjg6nMotDL8ZXJaxKzgGVcSMFA= github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0= +github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU= github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo= github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI= github.com/StackExchange/wmi v1.2.1 h1:VIkavFPXSjcnS+O8yTq7NI32k0R5Aj+v39y29VYDOSA= @@ -118,8 +120,8 @@ github.com/aws/aws-sdk-go v1.15.27/go.mod h1:mFuSZ37Z9YOHbQEwBWztmVzqXrEkub65tZo github.com/aws/aws-sdk-go v1.23.20/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.38.35/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= github.com/aws/aws-sdk-go v1.38.68/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= -github.com/aws/aws-sdk-go v1.40.16 h1:Tgg7i9ee2j6ir2EfejPDJBB3PyfUM4dPlvmMLtvJVfo= -github.com/aws/aws-sdk-go v1.40.16/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= +github.com/aws/aws-sdk-go v1.40.23 h1:o0cw9jVlbXkDd3eZU7MDIXp3a8zhECnl0BfUs2WNBIM= +github.com/aws/aws-sdk-go v1.40.23/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= github.com/aws/aws-sdk-go-v2 v1.7.0/go.mod h1:tb9wi5s61kTDA5qCkcDbt3KRVV74GGslQkl/DRdX/P4= github.com/aws/aws-sdk-go-v2/service/cloudwatch v1.5.0/go.mod h1:acH3+MQoiMzozT/ivU+DbRg7Ooo2298RdRaWcOv+4vM= github.com/aws/smithy-go v1.5.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E= @@ -134,6 +136,8 @@ github.com/cenkalti/backoff v2.2.1+incompatible h1:tNowT99t7UNflLxfYYSlKYsBpXdEe github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= +github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= +github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc= github.com/cespare/xxhash/v2 v2.1.1 h1:6MnRN8NT7+YBpUIWxHtefFZOKTAPgGjpQSxqLNn0+qY= github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= @@ -178,8 +182,8 @@ github.com/drakkan/ftp v0.0.0-20201114075148-9b9adce499a9 h1:LPH1dEblAOO/LoG7yHP github.com/drakkan/ftp v0.0.0-20201114075148-9b9adce499a9/go.mod h1:2lmrmq866uF2tnje75wQHzmPXhmSWUt7Gyx2vgK1RCU= github.com/drakkan/ftpserverlib v0.0.0-20210805132427-425f32d9dc15 h1:J7FZPDILyOMYtShuM5hH3GLTL1cCDtoJ1InsxEyl798= github.com/drakkan/ftpserverlib v0.0.0-20210805132427-425f32d9dc15/go.mod h1:+Doq95UijHTIaJcWREhyu9dyQOqyoULbVU3OXgs8wEI= -github.com/drakkan/net v0.0.0-20210725074420-30b60d4a1e60 h1:qGPbhCgKiOglRLoNPgAwdTOp3xW3TC96RSGLkmVdsd0= -github.com/drakkan/net v0.0.0-20210725074420-30b60d4a1e60/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +github.com/drakkan/net v0.0.0-20210817141953-39359926843c h1:mK9lUujDLUgprG2ORSgea+EYzH6fb8SFzHAzlm4pUCk= +github.com/drakkan/net v0.0.0-20210817141953-39359926843c/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= github.com/drakkan/pipeat v0.0.0-20210805162858-70e57fa8a639 h1:8tfGdb4kg/YCvAbIrsMazgoNtnqdOqQVDKW12uUCuuU= github.com/drakkan/pipeat v0.0.0-20210805162858-70e57fa8a639/go.mod h1:kltMsfRMTHSFdMbK66XdS8mfMW77+FZA1fGY1xYMF84= github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= @@ -331,7 +335,8 @@ github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLe github.com/google/pprof v0.0.0-20210122040257-d980be63207e/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20210715191844-86eeefc3e471/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= @@ -474,8 +479,8 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o github.com/klauspost/compress v1.10.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/klauspost/compress v1.11.12/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= github.com/klauspost/compress v1.12.2/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= -github.com/klauspost/compress v1.13.3 h1:BtAvtV1+h0YwSVwWoYXMREPpYu9VzTJ9QDI1TEg/iQQ= -github.com/klauspost/compress v1.13.3/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= +github.com/klauspost/compress v1.13.4 h1:0zhec2I8zGnjWcKyLl6i3gPqKANCCn5e9xmviEEeX6s= +github.com/klauspost/compress v1.13.4/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= github.com/klauspost/cpuid/v2 v2.0.4/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= github.com/klauspost/cpuid/v2 v2.0.9 h1:lgaqFMSdTdQYdZ04uHyN2d/eKdOMyi2YLSvlQIBFYa4= github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= @@ -522,6 +527,8 @@ github.com/lib/pq v1.10.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.10.1/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= github.com/lib/pq v1.10.2 h1:AqzbZs4ZoCBp+GtejcpCpcxM3zlSMx29dXbUSeVtJb8= github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o= +github.com/lithammer/shortuuid/v3 v3.0.7 h1:trX0KTHy4Pbwo/6ia8fscyHoGA+mf1jWbPJVuvyJQQ8= +github.com/lithammer/shortuuid/v3 v3.0.7/go.mod h1:vMk8ke37EmiewwolSO1NLW8vP4ZaKlRuDIi8tWWmAts= github.com/magiconair/properties v1.8.5 h1:b6kJs+EmPFMYGkow9GiUyCyOvIwYetYJ3fSaWak/Gls= github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= @@ -678,6 +685,7 @@ github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1 github.com/smartystreets/goconvey v1.6.4 h1:fv0U8FUIMPNf1L9lnHLvLhgicrIVChEkdzIKYqbNC9s= github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA= github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJOjmxWY= +github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.6.0 h1:xoax2sJ2DT8S8xA2paPFjDCScCNeWsg75VG0DLRreiY= github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I= github.com/spf13/cast v1.3.1 h1:nFm6S0SMdyzrzcmThSipiEubIDy8WEXKNZ0UOgiRpng= @@ -808,8 +816,9 @@ golang.org/x/oauth2 v0.0.0-20210413134643-5e61552d6c78/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20210427180440-81ed05c6b58c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.0.0-20210615190721-d04028783cf1/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= -golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914 h1:3B43BWw0xEBsLZ/NO1VALz6fppU3481pik+2Ksv45z8= golang.org/x/oauth2 v0.0.0-20210628180205-a41e5a781914/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= +golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a h1:4Kd8OPUx1xgUwrHDaviWZO8MsgoZTZYC3g+8m16RBww= +golang.org/x/oauth2 v0.0.0-20210805134026-6f1e6394065a/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -894,8 +903,10 @@ golang.org/x/sys v0.0.0-20210601080250-7ecdf8ef093b/go.mod h1:oPkhp1MJrh7nUepCBc golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603125802-9665404d3644/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c h1:F1jZWGFhYfh0Ci55sIpILtKKK8p3i2/krTr0H1rg74I= golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210806184541-e5e7981a1069/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20210817134402-fefb4affbef3 h1:VU4cjb3pNZovHYRs/2E8zPrpLC05+GT2uqqgIFtt0jc= +golang.org/x/sys v0.0.0-20210817134402-fefb4affbef3/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1018,8 +1029,9 @@ google.golang.org/api v0.47.0/go.mod h1:Wbvgpq1HddcWVtzsVLyfLp8lDg6AA241LmgIL59t google.golang.org/api v0.48.0/go.mod h1:71Pr1vy+TAZRPkPs/xlCf5SsU8WjuAWv1Pfjbtukyy4= google.golang.org/api v0.49.0/go.mod h1:BECiH72wsfwUvOVn3+btPD5WHi0LzavZReBndi42L18= google.golang.org/api v0.50.0/go.mod h1:4bNT5pAuq5ji4SRZm+5QIkjny9JAyVD/3gaSihNefaw= -google.golang.org/api v0.52.0 h1:m5FLEd6dp5CU1F0tMWyqDi2XjchviIz8ntzOSz7w8As= -google.golang.org/api v0.52.0/go.mod h1:Him/adpjt0sxtkWViy0b6xyKW/SD71CwdJ7HqJo7SrU= +google.golang.org/api v0.51.0/go.mod h1:t4HdrdoNgyN5cbEfm7Lum0lcLDLiise1F8qDKX00sOU= +google.golang.org/api v0.54.0 h1:ECJUVngj71QI6XEm7b1sAf8BljU5inEhMbKPR8Lxhhk= +google.golang.org/api v0.54.0/go.mod h1:7C4bFFOvVDGXjfDTAsgGwDgAxRDeQ4X8NvUedIt6z3k= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= @@ -1085,10 +1097,12 @@ google.golang.org/genproto v0.0.0-20210608205507-b6d2f5bf0d7d/go.mod h1:UODoCrxH google.golang.org/genproto v0.0.0-20210617175327-b9e0b3197ced/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24= google.golang.org/genproto v0.0.0-20210624174822-c5cf32407d0a/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24= google.golang.org/genproto v0.0.0-20210624195500-8bfb893ecb84/go.mod h1:SzzZ/N+nwJDaO1kznhnlzqS8ocJICar6hYhVyhi++24= -google.golang.org/genproto v0.0.0-20210721163202-f1cecdd8b78a/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= -google.golang.org/genproto v0.0.0-20210722135532-667f2b7c528f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= -google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67 h1:VmMSf20ssFK0+u1dscyTH9bU4/M4y+X/xNfkvD6kGtM= +google.golang.org/genproto v0.0.0-20210713002101-d411969a0d9a/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= +google.golang.org/genproto v0.0.0-20210716133855-ce7ef5c701ea/go.mod h1:AxrInvYm1dci+enl5hChSFPOmmUF1+uAa/UsgNRWd7k= +google.golang.org/genproto v0.0.0-20210728212813-7823e685a01f/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= google.golang.org/genproto v0.0.0-20210805201207-89edb61ffb67/go.mod h1:ob2IJxKrgPT52GcgX759i1sleT07tiKowYBGbczaW48= +google.golang.org/genproto v0.0.0-20210816143620-e15ff196659d h1:fPtHPeysWvGVJwQFKu3B7H2DB2sOEsW7UTayKkWESKw= +google.golang.org/genproto v0.0.0-20210816143620-e15ff196659d/go.mod h1:eFjDcFEctNawg4eG61bRv87N7iHBWyVhJu7u1kqDUXY= google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38= @@ -1115,8 +1129,9 @@ google.golang.org/grpc v1.37.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQ google.golang.org/grpc v1.37.1/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQdJfM= google.golang.org/grpc v1.39.0/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= -google.golang.org/grpc v1.39.1 h1:f37vZbBVTiJ6jKG5mWz8ySOBxNqy6ViPgyhSdVnxF3E= google.golang.org/grpc v1.39.1/go.mod h1:PImNr+rS9TWYb2O4/emRugxiyHZ5JyHW5F+RPnDzfrE= +google.golang.org/grpc v1.40.0 h1:AGJ0Ih4mHjSeibYkFGh1dD9KJ/eOtZ93I6hoHhukQ5Q= +google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= diff --git a/httpd/api_admin.go b/httpd/api_admin.go index 8105b691..7b162e9e 100644 --- a/httpd/api_admin.go +++ b/httpd/api_admin.go @@ -13,6 +13,7 @@ import ( ) func getAdmins(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) limit, offset, order, err := getSearchFilters(w, r) if err != nil { return @@ -27,6 +28,7 @@ func getAdmins(w http.ResponseWriter, r *http.Request) { } func getAdminByUsername(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) username := getURLParam(r, "username") renderAdmin(w, r, username, http.StatusOK) } @@ -84,6 +86,11 @@ func updateAdmin(w http.ResponseWriter, r *http.Request) { return } if username == claims.Username { + if claims.APIKeyID != "" { + sendAPIResponse(w, r, errors.New("updating the admin impersonated with an API key is not allowed"), "", + http.StatusBadRequest) + return + } if claims.isCriticalPermRemoved(admin.Permissions) { sendAPIResponse(w, r, errors.New("you cannot remove these permissions to yourself"), "", http.StatusBadRequest) return @@ -103,6 +110,7 @@ func updateAdmin(w http.ResponseWriter, r *http.Request) { } func deleteAdmin(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) username := getURLParam(r, "username") claims, err := getTokenClaims(r) if err != nil || claims.Username == "" { diff --git a/httpd/api_defender.go b/httpd/api_defender.go index 0d534dcf..4445bbff 100644 --- a/httpd/api_defender.go +++ b/httpd/api_defender.go @@ -14,6 +14,7 @@ import ( ) func getDefenderHosts(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) hosts := common.GetDefenderHosts() if hosts == nil { render.JSON(w, r, make([]common.DefenderEntry, 0)) @@ -23,6 +24,7 @@ func getDefenderHosts(w http.ResponseWriter, r *http.Request) { } func getDefenderHostByID(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) ip, err := getIPFromID(r) if err != nil { sendAPIResponse(w, r, err, "", http.StatusBadRequest) @@ -37,6 +39,7 @@ func getDefenderHostByID(w http.ResponseWriter, r *http.Request) { } func deleteDefenderHostByID(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) ip, err := getIPFromID(r) if err != nil { sendAPIResponse(w, r, err, "", http.StatusBadRequest) @@ -51,6 +54,7 @@ func deleteDefenderHostByID(w http.ResponseWriter, r *http.Request) { } func getBanTime(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) ip := r.URL.Query().Get("ip") err := validateIPAddress(ip) if err != nil { @@ -72,6 +76,7 @@ func getBanTime(w http.ResponseWriter, r *http.Request) { } func getScore(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) ip := r.URL.Query().Get("ip") err := validateIPAddress(ip) if err != nil { diff --git a/httpd/api_folder.go b/httpd/api_folder.go index 795b8d2a..0ecd82d7 100644 --- a/httpd/api_folder.go +++ b/httpd/api_folder.go @@ -11,6 +11,7 @@ import ( ) func getFolders(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) limit, offset, order, err := getSearchFilters(w, r) if err != nil { return @@ -99,11 +100,13 @@ func renderFolder(w http.ResponseWriter, r *http.Request, name string, status in } func getFolderByName(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) name := getURLParam(r, "name") renderFolder(w, r, name, http.StatusOK) } func deleteFolder(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) name := getURLParam(r, "name") err := dataprovider.DeleteFolder(name) if err != nil { diff --git a/httpd/api_http_user.go b/httpd/api_http_user.go index 4ea20a19..136ec139 100644 --- a/httpd/api_http_user.go +++ b/httpd/api_http_user.go @@ -45,6 +45,7 @@ func getUserConnection(w http.ResponseWriter, r *http.Request) (*Connection, err } func readUserFolder(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) connection, err := getUserConnection(w, r) if err != nil { return @@ -130,6 +131,7 @@ func deleteUserDir(w http.ResponseWriter, r *http.Request) { } func getUserFile(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) connection, err := getUserConnection(w, r) if err != nil { return @@ -278,6 +280,7 @@ func deleteUserFile(w http.ResponseWriter, r *http.Request) { } func getUserFilesAsZipStream(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) connection, err := getUserConnection(w, r) if err != nil { return @@ -302,6 +305,7 @@ func getUserFilesAsZipStream(w http.ResponseWriter, r *http.Request) { } func getUserPublicKeys(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) claims, err := getTokenClaims(r) if err != nil || claims.Username == "" { sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest) diff --git a/httpd/api_keys.go b/httpd/api_keys.go new file mode 100644 index 00000000..0aa6c2f5 --- /dev/null +++ b/httpd/api_keys.go @@ -0,0 +1,99 @@ +package httpd + +import ( + "context" + "fmt" + "net/http" + + "github.com/go-chi/render" + + "github.com/drakkan/sftpgo/v2/dataprovider" +) + +func getAPIKeys(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + limit, offset, order, err := getSearchFilters(w, r) + if err != nil { + return + } + + apiKeys, err := dataprovider.GetAPIKeys(limit, offset, order) + if err != nil { + sendAPIResponse(w, r, err, "", getRespStatus(err)) + return + } + render.JSON(w, r, apiKeys) +} + +func getAPIKeyByID(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + keyID := getURLParam(r, "id") + apiKey, err := dataprovider.APIKeyExists(keyID) + if err != nil { + sendAPIResponse(w, r, err, "", getRespStatus(err)) + return + } + apiKey.HideConfidentialData() + + render.JSON(w, r, apiKey) +} + +func addAPIKey(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + var apiKey dataprovider.APIKey + err := render.DecodeJSON(r.Body, &apiKey) + if err != nil { + sendAPIResponse(w, r, err, "", http.StatusBadRequest) + return + } + apiKey.ID = 0 + apiKey.KeyID = "" + apiKey.Key = "" + err = dataprovider.AddAPIKey(&apiKey) + if err != nil { + sendAPIResponse(w, r, err, "", getRespStatus(err)) + return + } + response := make(map[string]string) + response["message"] = "API key created. This is the only time the API key is visible, please save it." + response["key"] = apiKey.DisplayKey() + w.Header().Add("Location", fmt.Sprintf("%v/%v", apiKeysPath, apiKey.KeyID)) + w.Header().Add("X-Object-ID", apiKey.KeyID) + ctx := context.WithValue(r.Context(), render.StatusCtxKey, http.StatusCreated) + render.JSON(w, r.WithContext(ctx), response) +} + +func updateAPIKey(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + keyID := getURLParam(r, "id") + apiKey, err := dataprovider.APIKeyExists(keyID) + if err != nil { + sendAPIResponse(w, r, err, "", getRespStatus(err)) + return + } + + err = render.DecodeJSON(r.Body, &apiKey) + if err != nil { + sendAPIResponse(w, r, err, "", http.StatusBadRequest) + return + } + + apiKey.KeyID = keyID + if err := dataprovider.UpdateAPIKey(&apiKey); err != nil { + sendAPIResponse(w, r, err, "", getRespStatus(err)) + return + } + sendAPIResponse(w, r, nil, "API key updated", http.StatusOK) +} + +func deleteAPIKey(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + keyID := getURLParam(r, "id") + + err := dataprovider.DeleteAPIKey(keyID) + if err != nil { + sendAPIResponse(w, r, err, "", getRespStatus(err)) + return + } + sendAPIResponse(w, r, err, "API key deleted", http.StatusOK) +} diff --git a/httpd/api_maintenance.go b/httpd/api_maintenance.go index 35781d85..0a8412a1 100644 --- a/httpd/api_maintenance.go +++ b/httpd/api_maintenance.go @@ -35,6 +35,7 @@ func validateBackupFile(outputFile string) (string, error) { } func dumpData(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) var outputFile, outputData, indent string if _, ok := r.URL.Query()["output-file"]; ok { outputFile = strings.TrimSpace(r.URL.Query().Get("output-file")) @@ -117,6 +118,7 @@ func loadDataFromRequest(w http.ResponseWriter, r *http.Request) { } func loadData(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) inputFile, scanQuota, mode, err := getLoaddataOptions(r) if err != nil { sendAPIResponse(w, r, err, "", http.StatusBadRequest) @@ -166,6 +168,10 @@ func restoreBackup(content []byte, inputFile string, scanQuota, mode int) error return err } + if err = RestoreAPIKeys(dump.APIKeys, inputFile, mode); err != nil { + return err + } + logger.Debug(logSender, "", "backup restored, users: %v, folders: %v, admins: %vs", len(dump.Users), len(dump.Folders), len(dump.Admins)) @@ -216,7 +222,7 @@ func RestoreFolders(folders []vfs.BaseVirtualFolder, inputFile string, mode, sca logger.Debug(logSender, "", "adding new folder: %+v, dump file: %#v, error: %v", folder, inputFile, err) } if err != nil { - return err + return fmt.Errorf("unable to restore folder %#v: %w", folder.Name, err) } if scanQuota >= 1 { if common.QuotaScans.AddVFolderQuotaScan(folder.Name) { @@ -228,6 +234,36 @@ func RestoreFolders(folders []vfs.BaseVirtualFolder, inputFile string, mode, sca return nil } +// RestoreAPIKeys restores the specified API keys +func RestoreAPIKeys(apiKeys []dataprovider.APIKey, inputFile string, mode int) error { + for _, apiKey := range apiKeys { + apiKey := apiKey // pin + if apiKey.Key == "" { + logger.Warn(logSender, "", "cannot restore empty API key") + return fmt.Errorf("cannot restore an empty API key: %+v", apiKey) + } + k, err := dataprovider.APIKeyExists(apiKey.KeyID) + if err == nil { + if mode == 1 { + logger.Debug(logSender, "", "loaddata mode 1, existing API key %#v not updated", apiKey.KeyID) + continue + } + apiKey.ID = k.ID + err = dataprovider.UpdateAPIKey(&apiKey) + apiKey.Key = redactedSecret + logger.Debug(logSender, "", "restoring existing API key: %+v, dump file: %#v, error: %v", apiKey, inputFile, err) + } else { + err = dataprovider.AddAPIKey(&apiKey) + apiKey.Key = redactedSecret + logger.Debug(logSender, "", "adding new API key: %+v, dump file: %#v, error: %v", apiKey, inputFile, err) + } + if err != nil { + return fmt.Errorf("unable to restore API key %#v: %w", apiKey.KeyID, err) + } + } + return nil +} + // RestoreAdmins restores the specified admins func RestoreAdmins(admins []dataprovider.Admin, inputFile string, mode int) error { for _, admin := range admins { @@ -248,7 +284,7 @@ func RestoreAdmins(admins []dataprovider.Admin, inputFile string, mode int) erro logger.Debug(logSender, "", "adding new admin: %+v, dump file: %#v, error: %v", admin, inputFile, err) } if err != nil { - return err + return fmt.Errorf("unable to restore admin %#v: %w", admin.Username, err) } } @@ -278,7 +314,7 @@ func RestoreUsers(users []dataprovider.User, inputFile string, mode, scanQuota i logger.Debug(logSender, "", "adding new user: %+v, dump file: %#v, error: %v", user, inputFile, err) } if err != nil { - return err + return fmt.Errorf("unable to restoreuser %#v: %w", user.Username, err) } if scanQuota == 1 || (scanQuota == 2 && user.HasQuotaRestrictions()) { if common.QuotaScans.AddUserQuotaScan(user.Username) { diff --git a/httpd/api_quota.go b/httpd/api_quota.go index c9f35399..fa1c8a7e 100644 --- a/httpd/api_quota.go +++ b/httpd/api_quota.go @@ -23,10 +23,12 @@ type quotaUsage struct { } func getUsersQuotaScans(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) render.JSON(w, r, common.QuotaScans.GetUsersQuotaScans()) } func getFoldersQuotaScans(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) render.JSON(w, r, common.QuotaScans.GetVFoldersQuotaScans()) } diff --git a/httpd/api_user.go b/httpd/api_user.go index 5429287d..8e69fb3c 100644 --- a/httpd/api_user.go +++ b/httpd/api_user.go @@ -17,6 +17,7 @@ import ( ) func getUsers(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) limit, offset, order, err := getSearchFilters(w, r) if err != nil { return @@ -31,6 +32,7 @@ func getUsers(w http.ResponseWriter, r *http.Request) { } func getUserByUsername(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) username := getURLParam(r, "username") renderUser(w, r, username, http.StatusOK) } @@ -164,6 +166,7 @@ func updateUser(w http.ResponseWriter, r *http.Request) { } func deleteUser(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) username := getURLParam(r, "username") err := dataprovider.DeleteUser(username) if err != nil { diff --git a/httpd/api_utils.go b/httpd/api_utils.go index 638d1f2f..db285494 100644 --- a/httpd/api_utils.go +++ b/httpd/api_utils.go @@ -30,7 +30,9 @@ type pwdChange struct { func sendAPIResponse(w http.ResponseWriter, r *http.Request, err error, message string, code int) { var errorString string - if err != nil { + if _, ok := err.(*util.RecordNotFoundError); ok { + errorString = http.StatusText(http.StatusNotFound) + } else if err != nil { errorString = err.Error() } resp := apiResponse{ @@ -71,6 +73,7 @@ func getMappedStatusCode(err error) int { } func handleCloseConnection(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) connectionID := getURLParam(r, "connectionID") if connectionID == "" { sendAPIResponse(w, r, nil, "connectionID is mandatory", http.StatusBadRequest) diff --git a/httpd/auth_utils.go b/httpd/auth_utils.go index 4c6228d0..f1a5e064 100644 --- a/httpd/auth_utils.go +++ b/httpd/auth_utils.go @@ -28,6 +28,7 @@ const ( const ( claimUsernameKey = "username" claimPermissionsKey = "permissions" + claimAPIKey = "api_key" basicRealm = "Basic realm=\"SFTPGo\"" ) @@ -43,6 +44,7 @@ type jwtTokenClaims struct { Username string Permissions []string Signature string + APIKeyID string } func (c *jwtTokenClaims) asMap() map[string]interface{} { @@ -50,6 +52,9 @@ func (c *jwtTokenClaims) asMap() map[string]interface{} { claims[claimUsernameKey] = c.Username claims[claimPermissionsKey] = c.Permissions + if c.APIKeyID != "" { + claims[claimAPIKey] = c.APIKeyID + } claims[jwt.SubjectKey] = c.Signature return claims @@ -70,6 +75,13 @@ func (c *jwtTokenClaims) Decode(token map[string]interface{}) { c.Signature = v } + if val, ok := token[claimAPIKey]; ok { + switch v := val.(type) { + case string: + c.APIKeyID = v + } + } + permissions := token[claimPermissionsKey] switch v := permissions.(type) { case []interface{}: diff --git a/httpd/httpd.go b/httpd/httpd.go index c4fa1873..f60dd76e 100644 --- a/httpd/httpd.go +++ b/httpd/httpd.go @@ -30,121 +30,128 @@ import ( ) const ( - logSender = "httpd" - tokenPath = "/api/v2/token" - logoutPath = "/api/v2/logout" - userTokenPath = "/api/v2/user/token" - userLogoutPath = "/api/v2/user/logout" - activeConnectionsPath = "/api/v2/connections" - quotasBasePath = "/api/v2/quotas" - quotaScanPath = "/api/v2/quota-scans" - quotaScanVFolderPath = "/api/v2/folder-quota-scans" - userPath = "/api/v2/users" - versionPath = "/api/v2/version" - folderPath = "/api/v2/folders" - serverStatusPath = "/api/v2/status" - dumpDataPath = "/api/v2/dumpdata" - loadDataPath = "/api/v2/loaddata" - updateUsedQuotaPath = "/api/v2/quota-update" - updateFolderUsedQuotaPath = "/api/v2/folder-quota-update" - defenderHosts = "/api/v2/defender/hosts" - defenderBanTime = "/api/v2/defender/bantime" - defenderUnban = "/api/v2/defender/unban" - defenderScore = "/api/v2/defender/score" - adminPath = "/api/v2/admins" - adminPwdPath = "/api/v2/admin/changepwd" - adminPwdCompatPath = "/api/v2/changepwd/admin" - userPwdPath = "/api/v2/user/changepwd" - userPublicKeysPath = "/api/v2/user/publickeys" - userFolderPath = "/api/v2/user/folder" - userDirsPath = "/api/v2/user/dirs" - userFilePath = "/api/v2/user/file" - userFilesPath = "/api/v2/user/files" - userStreamZipPath = "/api/v2/user/streamzip" - healthzPath = "/healthz" - webRootPathDefault = "/" - webBasePathDefault = "/web" - webBasePathAdminDefault = "/web/admin" - webBasePathClientDefault = "/web/client" - webAdminSetupPathDefault = "/web/admin/setup" - webLoginPathDefault = "/web/admin/login" - webLogoutPathDefault = "/web/admin/logout" - webUsersPathDefault = "/web/admin/users" - webUserPathDefault = "/web/admin/user" - webConnectionsPathDefault = "/web/admin/connections" - webFoldersPathDefault = "/web/admin/folders" - webFolderPathDefault = "/web/admin/folder" - webStatusPathDefault = "/web/admin/status" - webAdminsPathDefault = "/web/admin/managers" - webAdminPathDefault = "/web/admin/manager" - webMaintenancePathDefault = "/web/admin/maintenance" - webBackupPathDefault = "/web/admin/backup" - webRestorePathDefault = "/web/admin/restore" - webScanVFolderPathDefault = "/web/admin/quotas/scanfolder" - webQuotaScanPathDefault = "/web/admin/quotas/scanuser" - webChangeAdminPwdPathDefault = "/web/admin/changepwd" - webTemplateUserDefault = "/web/admin/template/user" - webTemplateFolderDefault = "/web/admin/template/folder" - webDefenderPathDefault = "/web/admin/defender" - webDefenderHostsPathDefault = "/web/admin/defender/hosts" - webClientLoginPathDefault = "/web/client/login" - webClientFilesPathDefault = "/web/client/files" - webClientDirsPathDefault = "/web/client/dirs" - webClientDownloadZipPathDefault = "/web/client/downloadzip" - webClientCredentialsPathDefault = "/web/client/credentials" - webChangeClientPwdPathDefault = "/web/client/changepwd" - webChangeClientKeysPathDefault = "/web/client/managekeys" - webClientLogoutPathDefault = "/web/client/logout" - webStaticFilesPathDefault = "/static" + logSender = "httpd" + tokenPath = "/api/v2/token" + logoutPath = "/api/v2/logout" + userTokenPath = "/api/v2/user/token" + userLogoutPath = "/api/v2/user/logout" + activeConnectionsPath = "/api/v2/connections" + quotasBasePath = "/api/v2/quotas" + quotaScanPath = "/api/v2/quota-scans" + quotaScanVFolderPath = "/api/v2/folder-quota-scans" + userPath = "/api/v2/users" + versionPath = "/api/v2/version" + folderPath = "/api/v2/folders" + serverStatusPath = "/api/v2/status" + dumpDataPath = "/api/v2/dumpdata" + loadDataPath = "/api/v2/loaddata" + updateUsedQuotaPath = "/api/v2/quota-update" + updateFolderUsedQuotaPath = "/api/v2/folder-quota-update" + defenderHosts = "/api/v2/defender/hosts" + defenderBanTime = "/api/v2/defender/bantime" + defenderUnban = "/api/v2/defender/unban" + defenderScore = "/api/v2/defender/score" + adminPath = "/api/v2/admins" + adminPwdPath = "/api/v2/admin/changepwd" + adminPwdCompatPath = "/api/v2/changepwd/admin" + userPwdPath = "/api/v2/user/changepwd" + userPublicKeysPath = "/api/v2/user/publickeys" + userFolderPath = "/api/v2/user/folder" + userDirsPath = "/api/v2/user/dirs" + userFilePath = "/api/v2/user/file" + userFilesPath = "/api/v2/user/files" + userStreamZipPath = "/api/v2/user/streamzip" + apiKeysPath = "/api/v2/apikeys" + healthzPath = "/healthz" + webRootPathDefault = "/" + webBasePathDefault = "/web" + webBasePathAdminDefault = "/web/admin" + webBasePathClientDefault = "/web/client" + webAdminSetupPathDefault = "/web/admin/setup" + webLoginPathDefault = "/web/admin/login" + webLogoutPathDefault = "/web/admin/logout" + webUsersPathDefault = "/web/admin/users" + webUserPathDefault = "/web/admin/user" + webConnectionsPathDefault = "/web/admin/connections" + webFoldersPathDefault = "/web/admin/folders" + webFolderPathDefault = "/web/admin/folder" + webStatusPathDefault = "/web/admin/status" + webAdminsPathDefault = "/web/admin/managers" + webAdminPathDefault = "/web/admin/manager" + webMaintenancePathDefault = "/web/admin/maintenance" + webBackupPathDefault = "/web/admin/backup" + webRestorePathDefault = "/web/admin/restore" + webScanVFolderPathDefault = "/web/admin/quotas/scanfolder" + webQuotaScanPathDefault = "/web/admin/quotas/scanuser" + webChangeAdminPwdPathDefault = "/web/admin/changepwd" + webAdminCredentialsPathDefault = "/web/admin/credentials" + webChangeAdminAPIKeyAccessPathDefault = "/web/admin/apikeyaccess" + webTemplateUserDefault = "/web/admin/template/user" + webTemplateFolderDefault = "/web/admin/template/folder" + webDefenderPathDefault = "/web/admin/defender" + webDefenderHostsPathDefault = "/web/admin/defender/hosts" + webClientLoginPathDefault = "/web/client/login" + webClientFilesPathDefault = "/web/client/files" + webClientDirsPathDefault = "/web/client/dirs" + webClientDownloadZipPathDefault = "/web/client/downloadzip" + webClientCredentialsPathDefault = "/web/client/credentials" + webChangeClientPwdPathDefault = "/web/client/changepwd" + webChangeClientKeysPathDefault = "/web/client/managekeys" + webChangeClientAPIKeyAccessPathDefault = "/web/client/apikeyaccess" + webClientLogoutPathDefault = "/web/client/logout" + webStaticFilesPathDefault = "/static" // MaxRestoreSize defines the max size for the loaddata input file MaxRestoreSize = 10485760 // 10 MB maxRequestSize = 1048576 // 1MB - maxLoginPostSize = 262144 // 256 KB + maxLoginBodySize = 262144 // 256 KB maxMultipartMem = 8388608 // 8MB osWindows = "windows" ) var ( - backupsPath string - certMgr *common.CertManager - jwtTokensCleanupTicker *time.Ticker - jwtTokensCleanupDone chan bool - invalidatedJWTTokens sync.Map - csrfTokenAuth *jwtauth.JWTAuth - webRootPath string - webBasePath string - webBaseAdminPath string - webBaseClientPath string - webAdminSetupPath string - webLoginPath string - webLogoutPath string - webUsersPath string - webUserPath string - webConnectionsPath string - webFoldersPath string - webFolderPath string - webStatusPath string - webAdminsPath string - webAdminPath string - webMaintenancePath string - webBackupPath string - webRestorePath string - webScanVFolderPath string - webQuotaScanPath string - webChangeAdminPwdPath string - webTemplateUser string - webTemplateFolder string - webDefenderPath string - webDefenderHostsPath string - webClientLoginPath string - webClientFilesPath string - webClientDirsPath string - webClientDownloadZipPath string - webClientCredentialsPath string - webChangeClientPwdPath string - webChangeClientKeysPath string - webClientLogoutPath string - webStaticFilesPath string + backupsPath string + certMgr *common.CertManager + jwtTokensCleanupTicker *time.Ticker + jwtTokensCleanupDone chan bool + invalidatedJWTTokens sync.Map + csrfTokenAuth *jwtauth.JWTAuth + webRootPath string + webBasePath string + webBaseAdminPath string + webBaseClientPath string + webAdminSetupPath string + webLoginPath string + webLogoutPath string + webUsersPath string + webUserPath string + webConnectionsPath string + webFoldersPath string + webFolderPath string + webStatusPath string + webAdminsPath string + webAdminPath string + webMaintenancePath string + webBackupPath string + webRestorePath string + webScanVFolderPath string + webQuotaScanPath string + webAdminCredentialsPath string + webChangeAdminAPIKeyAccessPath string + webChangeAdminPwdPath string + webTemplateUser string + webTemplateFolder string + webDefenderPath string + webDefenderHostsPath string + webClientLoginPath string + webClientFilesPath string + webClientDirsPath string + webClientDownloadZipPath string + webClientCredentialsPath string + webChangeClientPwdPath string + webChangeClientKeysPath string + webChangeClientAPIKeyAccessPath string + webClientLogoutPath string + webStaticFilesPath string // max upload size for http clients, 1GB by default maxUploadFileSize = int64(1048576000) ) @@ -478,6 +485,7 @@ func updateWebClientURLs(baseURL string) { webClientCredentialsPath = path.Join(baseURL, webClientCredentialsPathDefault) webChangeClientPwdPath = path.Join(baseURL, webChangeClientPwdPathDefault) webChangeClientKeysPath = path.Join(baseURL, webChangeClientKeysPathDefault) + webChangeClientAPIKeyAccessPath = path.Join(baseURL, webChangeClientAPIKeyAccessPathDefault) webClientLogoutPath = path.Join(baseURL, webClientLogoutPathDefault) } @@ -505,6 +513,8 @@ func updateWebAdminURLs(baseURL string) { webScanVFolderPath = path.Join(baseURL, webScanVFolderPathDefault) webQuotaScanPath = path.Join(baseURL, webQuotaScanPathDefault) webChangeAdminPwdPath = path.Join(baseURL, webChangeAdminPwdPathDefault) + webAdminCredentialsPath = path.Join(baseURL, webAdminCredentialsPathDefault) + webChangeAdminAPIKeyAccessPath = path.Join(baseURL, webChangeAdminAPIKeyAccessPathDefault) webTemplateUser = path.Join(baseURL, webTemplateUserDefault) webTemplateFolder = path.Join(baseURL, webTemplateFolderDefault) webDefenderHostsPath = path.Join(baseURL, webDefenderHostsPathDefault) diff --git a/httpd/httpd_test.go b/httpd/httpd_test.go index eefcb2cb..cf9ac112 100644 --- a/httpd/httpd_test.go +++ b/httpd/httpd_test.go @@ -26,6 +26,7 @@ import ( "github.com/go-chi/render" _ "github.com/go-sql-driver/mysql" _ "github.com/lib/pq" + "github.com/lithammer/shortuuid/v3" _ "github.com/mattn/go-sqlite3" "github.com/rs/zerolog" "github.com/stretchr/testify/assert" @@ -81,6 +82,7 @@ const ( userDirsPath = "/api/v2/user/dirs" userFilesPath = "/api/v2/user/files" userStreamZipPath = "/api/v2/user/streamzip" + apiKeysPath = "/api/v2/apikeys" healthzPath = "/healthz" webBasePath = "/web" webBasePathAdmin = "/web/admin" @@ -98,9 +100,11 @@ const ( webMaintenancePath = "/web/admin/maintenance" webRestorePath = "/web/admin/restore" webChangeAdminPwdPath = "/web/admin/changepwd" + webAdminCredentialsPath = "/web/admin/credentials" webTemplateUser = "/web/admin/template/user" webTemplateFolder = "/web/admin/template/folder" webDefenderPath = "/web/admin/defender" + webChangeAdminAPIKeyAccessPath = "/web/admin/apikeyaccess" webBasePathClient = "/web/client" webClientLoginPath = "/web/client/login" webClientFilesPath = "/web/client/files" @@ -109,6 +113,7 @@ const ( webClientCredentialsPath = "/web/client/credentials" webChangeClientPwdPath = "/web/client/changepwd" webChangeClientKeysPath = "/web/client/managekeys" + webChangeClientAPIKeyAccessPath = "/web/client/apikeyaccess" webClientLogoutPath = "/web/client/logout" httpBaseURL = "http://127.0.0.1:8081" sftpServerAddr = "127.0.0.1:8022" @@ -2877,8 +2882,6 @@ func TestSkipNaturalKeysValidation(t *testing.T) { assert.NoError(t, err) user, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK) assert.NoError(t, err) - _, err = httpdtest.RemoveUser(user, http.StatusOK) - assert.NoError(t, err) a := getTestAdmin() a.Username = "admin@example.com" @@ -2889,8 +2892,6 @@ func TestSkipNaturalKeysValidation(t *testing.T) { assert.NoError(t, err) admin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK) assert.NoError(t, err) - _, err = httpdtest.RemoveAdmin(admin, http.StatusOK) - assert.NoError(t, err) f := vfs.BaseVirtualFolder{ Name: "文件夹", @@ -2916,6 +2917,44 @@ func TestSkipNaturalKeysValidation(t *testing.T) { assert.NoError(t, err) err = dataprovider.Initialize(providerConf, configDir, true) assert.NoError(t, err) + if config.GetProviderConf().Driver == dataprovider.MemoryDataProviderName { + return + } + + csrfToken, err := getCSRFToken(httpBaseURL + webClientLoginPath) + assert.NoError(t, err) + token, err := getJWTWebClientTokenFromTestServer(user.Username, defaultPassword) + assert.NoError(t, err) + form := make(url.Values) + form.Set(csrfFormToken, csrfToken) + req, err := http.NewRequest(http.MethodPost, webChangeClientAPIKeyAccessPath, bytes.NewBuffer([]byte(form.Encode()))) + assert.NoError(t, err) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + setJWTCookieForReq(req, token) + rr := executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + assert.Contains(t, rr.Body.String(), "the following characters are allowed") + + _, err = httpdtest.RemoveUser(user, http.StatusOK) + assert.NoError(t, err) + err = os.RemoveAll(user.GetHomeDir()) + assert.NoError(t, err) + + token, err = getJWTWebTokenFromTestServer(admin.Username, defaultTokenAuthPass) + assert.NoError(t, err) + csrfToken, err = getCSRFToken(httpBaseURL + webLoginPath) + assert.NoError(t, err) + form = make(url.Values) + form.Set(csrfFormToken, csrfToken) + req, _ = http.NewRequest(http.MethodPost, webChangeAdminAPIKeyAccessPath, bytes.NewBuffer([]byte(form.Encode()))) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + setJWTCookieForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + assert.Contains(t, rr.Body.String(), "the following characters are allowed") + + _, err = httpdtest.RemoveAdmin(admin, http.StatusOK) + assert.NoError(t, err) } func TestUserBaseDir(t *testing.T) { @@ -3006,6 +3045,8 @@ func TestProviderErrors(t *testing.T) { assert.NoError(t, err) _, _, err = httpdtest.GetAdmins(1, 0, http.StatusInternalServerError) assert.NoError(t, err) + _, _, err = httpdtest.GetAPIKeys(1, 0, http.StatusInternalServerError) + assert.NoError(t, err) _, _, err = httpdtest.UpdateUser(dataprovider.User{BaseUser: sdk.BaseUser{Username: "auser"}}, http.StatusInternalServerError, "") assert.NoError(t, err) _, err = httpdtest.RemoveUser(dataprovider.User{BaseUser: sdk.BaseUser{Username: "auser"}}, http.StatusInternalServerError) @@ -3047,6 +3088,21 @@ func TestProviderErrors(t *testing.T) { assert.NoError(t, err) _, _, err = httpdtest.Loaddata(backupFilePath, "", "", http.StatusInternalServerError) assert.NoError(t, err) + backupData.Users = nil + backupData.Folders = nil + backupData.Admins = nil + backupData.APIKeys = append(backupData.APIKeys, dataprovider.APIKey{ + Name: "name", + KeyID: shortuuid.New(), + Key: fmt.Sprintf("%v.%v", shortuuid.New(), shortuuid.New()), + Scope: dataprovider.APIKeyScopeUser, + }) + backupContent, err = json.Marshal(backupData) + assert.NoError(t, err) + err = os.WriteFile(backupFilePath, backupContent, os.ModePerm) + assert.NoError(t, err) + _, _, err = httpdtest.Loaddata(backupFilePath, "", "", http.StatusInternalServerError) + assert.NoError(t, err) err = os.Remove(backupFilePath) assert.NoError(t, err) req, err := http.NewRequest(http.MethodGet, webUserPath, nil) @@ -3380,6 +3436,7 @@ func TestLoaddataFromPostBody(t *testing.T) { MappedPath: mappedPath + "1", }, } + backupData.APIKeys = append(backupData.APIKeys, dataprovider.APIKey{}) backupContent, err := json.Marshal(backupData) assert.NoError(t, err) _, _, err = httpdtest.LoaddataFromPostBody(nil, "0", "0", http.StatusBadRequest) @@ -3388,6 +3445,20 @@ func TestLoaddataFromPostBody(t *testing.T) { assert.NoError(t, err) _, _, err = httpdtest.LoaddataFromPostBody([]byte("invalid content"), "0", "0", http.StatusBadRequest) assert.NoError(t, err) + _, _, err = httpdtest.LoaddataFromPostBody(backupContent, "0", "0", http.StatusInternalServerError) + assert.NoError(t, err) + + keyID := shortuuid.New() + backupData.APIKeys = []dataprovider.APIKey{ + { + Name: "test key", + Scope: dataprovider.APIKeyScopeAdmin, + KeyID: keyID, + Key: fmt.Sprintf("%v.%v", shortuuid.New(), shortuuid.New()), + }, + } + backupContent, err = json.Marshal(backupData) + assert.NoError(t, err) _, _, err = httpdtest.LoaddataFromPostBody(backupContent, "0", "0", http.StatusOK) assert.NoError(t, err) user, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK) @@ -3399,6 +3470,10 @@ func TestLoaddataFromPostBody(t *testing.T) { assert.NoError(t, err) _, err = httpdtest.RemoveAdmin(admin, http.StatusOK) assert.NoError(t, err) + apiKey, _, err := httpdtest.GetAPIKeyByID(keyID, http.StatusOK) + assert.NoError(t, err) + _, err = httpdtest.RemoveAPIKey(apiKey, http.StatusOK) + assert.NoError(t, err) folder, _, err := httpdtest.GetFolderByName(folderName, http.StatusOK) assert.NoError(t, err) @@ -3421,6 +3496,12 @@ func TestLoaddata(t *testing.T) { admin := getTestAdmin() admin.ID = 1 admin.Username = "test_admin_restore" + apiKey := dataprovider.APIKey{ + Name: shortuuid.New(), + Scope: dataprovider.APIKeyScopeAdmin, + KeyID: shortuuid.New(), + Key: fmt.Sprintf("%v.%v", shortuuid.New(), shortuuid.New()), + } backupData := dataprovider.BackupData{} backupData.Users = append(backupData.Users, user) backupData.Admins = append(backupData.Admins, admin) @@ -3439,6 +3520,7 @@ func TestLoaddata(t *testing.T) { Description: foldeDesc, }, } + backupData.APIKeys = append(backupData.APIKeys, apiKey) backupContent, err := json.Marshal(backupData) assert.NoError(t, err) backupFilePath := filepath.Join(backupsPath, "backup.json") @@ -3460,7 +3542,7 @@ func TestLoaddata(t *testing.T) { err = os.Chmod(backupFilePath, 0644) assert.NoError(t, err) } - // add user, folder, admin from backup + // add user, folder, admin, API key from backup _, _, err = httpdtest.Loaddata(backupFilePath, "1", "", http.StatusOK) assert.NoError(t, err) // update from backup @@ -3476,6 +3558,11 @@ func TestLoaddata(t *testing.T) { _, err = httpdtest.RemoveAdmin(admin, http.StatusOK) assert.NoError(t, err) + apiKey, _, err = httpdtest.GetAPIKeyByID(apiKey.KeyID, http.StatusOK) + assert.NoError(t, err) + _, err = httpdtest.RemoveAPIKey(apiKey, http.StatusOK) + assert.NoError(t, err) + folder, _, err := httpdtest.GetFolderByName(folderName, http.StatusOK) assert.NoError(t, err) assert.Equal(t, mappedPath, folder.MappedPath) @@ -3511,6 +3598,13 @@ func TestLoaddataMode(t *testing.T) { admin := getTestAdmin() admin.ID = 1 admin.Username = "test_admin_restore" + apiKey := dataprovider.APIKey{ + Name: shortuuid.New(), + Scope: dataprovider.APIKeyScopeAdmin, + KeyID: shortuuid.New(), + Key: fmt.Sprintf("%v.%v", shortuuid.New(), shortuuid.New()), + Description: "desc", + } backupData := dataprovider.BackupData{} backupData.Users = append(backupData.Users, user) backupData.Admins = append(backupData.Admins, admin) @@ -3528,6 +3622,7 @@ func TestLoaddataMode(t *testing.T) { Name: folderName, }, } + backupData.APIKeys = append(backupData.APIKeys, apiKey) backupContent, _ := json.Marshal(backupData) backupFilePath := filepath.Join(backupsPath, "backup.json") err := os.WriteFile(backupFilePath, backupContent, os.ModePerm) @@ -3555,6 +3650,13 @@ func TestLoaddataMode(t *testing.T) { admin.Description = "newDesc" admin, _, err = httpdtest.UpdateAdmin(admin, http.StatusOK) assert.NoError(t, err) + apiKey, _, err = httpdtest.GetAPIKeyByID(apiKey.KeyID, http.StatusOK) + assert.NoError(t, err) + oldAPIKeyDesc := apiKey.Description + apiKey.ExpiresAt = util.GetTimeAsMsSinceEpoch(time.Now()) + apiKey.Description = "new desc" + apiKey, _, err = httpdtest.UpdateAPIKey(apiKey, http.StatusOK) + assert.NoError(t, err) backupData.Folders = []vfs.BaseVirtualFolder{ { @@ -3586,6 +3688,11 @@ func TestLoaddataMode(t *testing.T) { assert.NotEqual(t, oldInfo, admin.AdditionalInfo) assert.NotEqual(t, oldDesc, admin.Description) + apiKey, _, err = httpdtest.GetAPIKeyByID(apiKey.KeyID, http.StatusOK) + assert.NoError(t, err) + assert.NotEqual(t, int64(0), apiKey.ExpiresAt) + assert.NotEqual(t, oldAPIKeyDesc, apiKey.Description) + _, _, err = httpdtest.Loaddata(backupFilePath, "0", "2", http.StatusOK) assert.NoError(t, err) // mode 2 will update the user and close the previous connection @@ -4013,6 +4120,153 @@ func TestUpdateAdminMock(t *testing.T) { checkResponseCode(t, http.StatusOK, rr) } +func TestAdminHandlingWithAPIKeys(t *testing.T) { + sysAdmin, _, err := httpdtest.GetAdminByUsername(defaultTokenAuthUser, http.StatusOK) + assert.NoError(t, err) + sysAdmin.Filters.AllowAPIKeyAuth = true + sysAdmin, _, err = httpdtest.UpdateAdmin(sysAdmin, http.StatusOK) + assert.NoError(t, err) + + apiKey := dataprovider.APIKey{ + Name: "test admin API key", + Scope: dataprovider.APIKeyScopeAdmin, + Admin: defaultTokenAuthUser, + } + + apiKey, resp, err := httpdtest.AddAPIKey(apiKey, http.StatusCreated) + assert.NoError(t, err, string(resp)) + + admin := getTestAdmin() + admin.Username = altAdminUsername + asJSON, err := json.Marshal(admin) + assert.NoError(t, err) + req, err := http.NewRequest(http.MethodPost, adminPath, bytes.NewBuffer(asJSON)) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKey.Key, "") + rr := executeRequest(req) + checkResponseCode(t, http.StatusCreated, rr) + _, err = getJWTAPITokenFromTestServer(altAdminUsername, defaultTokenAuthPass) + assert.NoError(t, err) + + admin.Filters.AllowAPIKeyAuth = true + asJSON, err = json.Marshal(admin) + assert.NoError(t, err) + req, err = http.NewRequest(http.MethodPut, path.Join(adminPath, altAdminUsername), bytes.NewBuffer(asJSON)) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKey.Key, "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + + req, err = http.NewRequest(http.MethodGet, path.Join(adminPath, altAdminUsername), nil) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKey.Key, "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + var adminGet dataprovider.Admin + err = json.Unmarshal(rr.Body.Bytes(), &adminGet) + assert.NoError(t, err) + assert.True(t, adminGet.Filters.AllowAPIKeyAuth) + + req, err = http.NewRequest(http.MethodPut, path.Join(adminPath, defaultTokenAuthUser), bytes.NewBuffer(asJSON)) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKey.Key, "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusBadRequest, rr) + assert.Contains(t, rr.Body.String(), "updating the admin impersonated with an API key is not allowed") + // changing the password for the impersonated admin is not allowed + pwd := make(map[string]string) + pwd["current_password"] = defaultTokenAuthPass + pwd["new_password"] = altAdminPassword + asJSON, err = json.Marshal(pwd) + assert.NoError(t, err) + req, _ = http.NewRequest(http.MethodPut, adminPwdPath, bytes.NewBuffer(asJSON)) + setAPIKeyForReq(req, apiKey.Key, "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusForbidden, rr) + assert.Contains(t, rr.Body.String(), "API key authentication is not allowed") + + req, err = http.NewRequest(http.MethodDelete, path.Join(adminPath, defaultTokenAuthUser), nil) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKey.Key, "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusBadRequest, rr) + assert.Contains(t, rr.Body.String(), "you cannot delete yourself") + + req, err = http.NewRequest(http.MethodDelete, path.Join(adminPath, altAdminUsername), nil) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKey.Key, "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + + _, err = httpdtest.RemoveAPIKey(apiKey, http.StatusOK) + assert.NoError(t, err) + + dbAdmin, err := dataprovider.AdminExists(defaultTokenAuthUser) + assert.NoError(t, err) + dbAdmin.Filters.AllowAPIKeyAuth = false + err = dataprovider.UpdateAdmin(&dbAdmin) + assert.NoError(t, err) + sysAdmin, _, err = httpdtest.GetAdminByUsername(defaultTokenAuthUser, http.StatusOK) + assert.NoError(t, err) + assert.False(t, sysAdmin.Filters.AllowAPIKeyAuth) +} + +func TestUserHandlingWithAPIKey(t *testing.T) { + admin := getTestAdmin() + admin.Username = altAdminUsername + admin.Filters.AllowAPIKeyAuth = true + admin, _, err := httpdtest.AddAdmin(admin, http.StatusCreated) + assert.NoError(t, err) + + apiKey := dataprovider.APIKey{ + Name: "test admin API key", + Scope: dataprovider.APIKeyScopeAdmin, + Admin: admin.Username, + } + + apiKey, _, err = httpdtest.AddAPIKey(apiKey, http.StatusCreated) + assert.NoError(t, err) + + user := getTestUser() + userAsJSON := getUserAsJSON(t, user) + req, err := http.NewRequest(http.MethodPost, userPath, bytes.NewBuffer(userAsJSON)) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKey.Key, "") + rr := executeRequest(req) + checkResponseCode(t, http.StatusCreated, rr) + + user.Filters.DisableFsChecks = true + user.Description = "desc" + userAsJSON = getUserAsJSON(t, user) + req, err = http.NewRequest(http.MethodPut, path.Join(userPath, user.Username), bytes.NewBuffer(userAsJSON)) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKey.Key, "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + + req, err = http.NewRequest(http.MethodGet, path.Join(userPath, user.Username), nil) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKey.Key, "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + var updatedUser dataprovider.User + err = json.Unmarshal(rr.Body.Bytes(), &updatedUser) + assert.NoError(t, err) + assert.True(t, updatedUser.Filters.DisableFsChecks) + assert.Equal(t, user.Description, updatedUser.Description) + + req, err = http.NewRequest(http.MethodDelete, path.Join(userPath, user.Username), nil) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKey.Key, "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + + _, err = httpdtest.RemoveAdmin(admin, http.StatusOK) + assert.NoError(t, err) + _, _, err = httpdtest.GetAPIKeyByID(apiKey.KeyID, http.StatusNotFound) + assert.NoError(t, err) +} + func TestUpdateUserMock(t *testing.T) { token, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass) assert.NoError(t, err) @@ -5200,8 +5454,15 @@ func TestPostConnectHook(t *testing.T) { common.Config.PostConnectHook = postConnectPath u := getTestUser() + u.Filters.AllowAPIKeyAuth = true user, _, err := httpdtest.AddUser(u, http.StatusCreated) assert.NoError(t, err) + apiKey, _, err := httpdtest.AddAPIKey(dataprovider.APIKey{ + Name: "name", + Scope: dataprovider.APIKeyScopeUser, + User: user.Username, + }, http.StatusCreated) + assert.NoError(t, err) err = os.WriteFile(postConnectPath, getExitCodeScriptContent(0), os.ModePerm) assert.NoError(t, err) @@ -5211,6 +5472,12 @@ func TestPostConnectHook(t *testing.T) { _, err = getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword) assert.NoError(t, err) + req, err := http.NewRequest(http.MethodGet, userDirsPath, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKey.Key, "") + rr := executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + err = os.WriteFile(postConnectPath, getExitCodeScriptContent(1), os.ModePerm) assert.NoError(t, err) @@ -5220,6 +5487,12 @@ func TestPostConnectHook(t *testing.T) { _, err = getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword) assert.Error(t, err) + req, err = http.NewRequest(http.MethodGet, userDirsPath, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKey.Key, "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusUnauthorized, rr) + _, err = httpdtest.RemoveUser(user, http.StatusOK) assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) @@ -5257,11 +5530,18 @@ func TestMaxSessions(t *testing.T) { func TestLoginInvalidFs(t *testing.T) { u := getTestUser() + u.Filters.AllowAPIKeyAuth = true u.FsConfig.Provider = sdk.GCSFilesystemProvider u.FsConfig.GCSConfig.Bucket = "test" u.FsConfig.GCSConfig.Credentials = kms.NewPlainSecret("invalid JSON for credentials") user, _, err := httpdtest.AddUser(u, http.StatusCreated) assert.NoError(t, err) + apiKey, _, err := httpdtest.AddAPIKey(dataprovider.APIKey{ + Name: "testk", + Scope: dataprovider.APIKeyScopeUser, + User: u.Username, + }, http.StatusCreated) + assert.NoError(t, err) credentialsFile := filepath.Join(credentialsPath, fmt.Sprintf("%v_gcs_credentials.json", u.Username)) if !filepath.IsAbs(credentialsFile) { @@ -5278,6 +5558,12 @@ func TestLoginInvalidFs(t *testing.T) { _, err = getJWTAPIUserTokenFromTestServer(defaultUsername, defaultPassword) assert.Error(t, err) + req, err := http.NewRequest(http.MethodGet, userDirsPath, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKey.Key, "") + rr := executeRequest(req) + checkResponseCode(t, http.StatusInternalServerError, rr) + _, err = httpdtest.RemoveUser(user, http.StatusOK) assert.NoError(t, err) err = os.RemoveAll(user.GetHomeDir()) @@ -5595,6 +5881,125 @@ func TestPreUploadHook(t *testing.T) { common.Config.Actions.Hook = oldHook } +func TestUserAPIKey(t *testing.T) { + u := getTestUser() + u.Filters.AllowAPIKeyAuth = true + user, _, err := httpdtest.AddUser(u, http.StatusCreated) + assert.NoError(t, err) + apiKey := dataprovider.APIKey{ + Name: "testkey", + User: user.Username, + Scope: dataprovider.APIKeyScopeUser, + } + apiKey, _, err = httpdtest.AddAPIKey(apiKey, http.StatusCreated) + assert.NoError(t, err) + + body := new(bytes.Buffer) + writer := multipart.NewWriter(body) + part, err := writer.CreateFormFile("filename", "filenametest") + assert.NoError(t, err) + _, err = part.Write([]byte("test file content")) + assert.NoError(t, err) + err = writer.Close() + assert.NoError(t, err) + reader := bytes.NewReader(body.Bytes()) + _, err = reader.Seek(0, io.SeekStart) + assert.NoError(t, err) + req, err := http.NewRequest(http.MethodPost, userFilesPath, reader) + assert.NoError(t, err) + req.Header.Add("Content-Type", writer.FormDataContentType()) + setAPIKeyForReq(req, apiKey.Key, "") + rr := executeRequest(req) + checkResponseCode(t, http.StatusCreated, rr) + + req, err = http.NewRequest(http.MethodGet, userDirsPath, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKey.Key, "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + var dirEntries []map[string]interface{} + err = json.Unmarshal(rr.Body.Bytes(), &dirEntries) + assert.NoError(t, err) + assert.Len(t, dirEntries, 1) + + user.Status = 0 + user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "") + assert.NoError(t, err) + req, err = http.NewRequest(http.MethodGet, userDirsPath, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKey.Key, "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusUnauthorized, rr) + + user.Status = 1 + user.Filters.DeniedProtocols = []string{common.ProtocolHTTP} + user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "") + assert.NoError(t, err) + + req, err = http.NewRequest(http.MethodGet, userDirsPath, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKey.Key, "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusUnauthorized, rr) + + user.Filters.DeniedProtocols = []string{common.ProtocolFTP} + user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "") + assert.NoError(t, err) + + req, err = http.NewRequest(http.MethodGet, userDirsPath, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKey.Key, "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + apiKeyNew := dataprovider.APIKey{ + Name: apiKey.Name, + Scope: dataprovider.APIKeyScopeUser, + } + + apiKeyNew, _, err = httpdtest.AddAPIKey(apiKeyNew, http.StatusCreated) + assert.NoError(t, err) + req, err = http.NewRequest(http.MethodGet, userDirsPath, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKeyNew.Key, "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusUnauthorized, rr) + // now associate a user + req, err = http.NewRequest(http.MethodGet, userDirsPath, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKeyNew.Key, user.Username) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + // now with a missing user + req, err = http.NewRequest(http.MethodGet, userDirsPath, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKeyNew.Key, user.Username+"1") + rr = executeRequest(req) + checkResponseCode(t, http.StatusUnauthorized, rr) + // empty user and key not associated to any user + req, err = http.NewRequest(http.MethodGet, userDirsPath, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKeyNew.Key, "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusUnauthorized, rr) + apiKeyNew.ExpiresAt = util.GetTimeAsMsSinceEpoch(time.Now().Add(-24 * time.Hour)) + _, _, err = httpdtest.UpdateAPIKey(apiKeyNew, http.StatusOK) + assert.NoError(t, err) + // expired API key + req, err = http.NewRequest(http.MethodGet, userDirsPath, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKeyNew.Key, user.Username) + rr = executeRequest(req) + checkResponseCode(t, http.StatusUnauthorized, rr) + + _, err = httpdtest.RemoveUser(user, http.StatusOK) + assert.NoError(t, err) + err = os.RemoveAll(user.GetHomeDir()) + assert.NoError(t, err) + + _, err = httpdtest.RemoveAPIKey(apiKeyNew, http.StatusOK) + assert.NoError(t, err) +} + func TestWebGetFiles(t *testing.T) { user, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated) assert.NoError(t, err) @@ -7029,7 +7434,7 @@ func TestWebAdminLoginMock(t *testing.T) { } func TestAdminNoToken(t *testing.T) { - req, _ := http.NewRequest(http.MethodGet, webChangeAdminPwdPath, nil) + req, _ := http.NewRequest(http.MethodGet, webAdminCredentialsPath, nil) rr := executeRequest(req) checkResponseCode(t, http.StatusFound, rr) assert.Equal(t, webLoginPath, rr.Header().Get("Location")) @@ -7048,6 +7453,125 @@ func TestAdminNoToken(t *testing.T) { checkResponseCode(t, http.StatusUnauthorized, rr) } +func TestWebUserAllowAPIKeyAuth(t *testing.T) { + u := getTestUser() + u.Filters.AllowAPIKeyAuth = true + user, _, err := httpdtest.AddUser(u, http.StatusCreated) + assert.NoError(t, err) + + csrfToken, err := getCSRFToken(httpBaseURL + webClientLoginPath) + assert.NoError(t, err) + token, err := getJWTWebClientTokenFromTestServer(defaultUsername, defaultPassword) + assert.NoError(t, err) + + form := make(url.Values) + form.Set("allow_api_key_auth", "1") + // no csrf token + req, err := http.NewRequest(http.MethodPost, webChangeClientAPIKeyAccessPath, bytes.NewBuffer([]byte(form.Encode()))) + assert.NoError(t, err) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + setJWTCookieForReq(req, token) + rr := executeRequest(req) + checkResponseCode(t, http.StatusForbidden, rr) + assert.Contains(t, rr.Body.String(), "unable to verify form token") + + form.Set(csrfFormToken, csrfToken) + req, _ = http.NewRequest(http.MethodPost, webChangeClientAPIKeyAccessPath, bytes.NewBuffer([]byte(form.Encode()))) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + setJWTCookieForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + assert.Contains(t, rr.Body.String(), "API key authentication updated") + + user, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK) + assert.NoError(t, err) + assert.True(t, user.Filters.AllowAPIKeyAuth) + + form = make(url.Values) + form.Set(csrfFormToken, csrfToken) + req, _ = http.NewRequest(http.MethodPost, webChangeClientAPIKeyAccessPath, bytes.NewBuffer([]byte(form.Encode()))) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + setJWTCookieForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + assert.Contains(t, rr.Body.String(), "API key authentication updated") + + user, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK) + assert.NoError(t, err) + assert.False(t, user.Filters.AllowAPIKeyAuth) + + err = os.RemoveAll(user.GetHomeDir()) + assert.NoError(t, err) + _, err = httpdtest.RemoveUser(user, http.StatusOK) + assert.NoError(t, err) + + form = make(url.Values) + form.Set(csrfFormToken, csrfToken) + req, _ = http.NewRequest(http.MethodPost, webChangeClientAPIKeyAccessPath, bytes.NewBuffer([]byte(form.Encode()))) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + setJWTCookieForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusInternalServerError, rr) +} + +func TestWebAdminAllowAPIKeyAuth(t *testing.T) { + admin := getTestAdmin() + admin.Username = altAdminUsername + admin.Password = altAdminPassword + admin, _, err := httpdtest.AddAdmin(admin, http.StatusCreated) + assert.NoError(t, err) + token, err := getJWTWebTokenFromTestServer(admin.Username, altAdminPassword) + assert.NoError(t, err) + csrfToken, err := getCSRFToken(httpBaseURL + webLoginPath) + assert.NoError(t, err) + form := make(url.Values) + form.Set("allow_api_key_auth", "1") + // no csrf token + req, err := http.NewRequest(http.MethodPost, webChangeAdminAPIKeyAccessPath, bytes.NewBuffer([]byte(form.Encode()))) + assert.NoError(t, err) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + setJWTCookieForReq(req, token) + rr := executeRequest(req) + checkResponseCode(t, http.StatusForbidden, rr) + assert.Contains(t, rr.Body.String(), "unable to verify form token") + + form.Set(csrfFormToken, csrfToken) + req, _ = http.NewRequest(http.MethodPost, webChangeAdminAPIKeyAccessPath, bytes.NewBuffer([]byte(form.Encode()))) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + setJWTCookieForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + assert.Contains(t, rr.Body.String(), "API key authentication updated") + + admin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK) + assert.NoError(t, err) + assert.True(t, admin.Filters.AllowAPIKeyAuth) + + form = make(url.Values) + form.Set(csrfFormToken, csrfToken) + req, _ = http.NewRequest(http.MethodPost, webChangeAdminAPIKeyAccessPath, bytes.NewBuffer([]byte(form.Encode()))) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + setJWTCookieForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + assert.Contains(t, rr.Body.String(), "API key authentication updated") + + admin, _, err = httpdtest.GetAdminByUsername(admin.Username, http.StatusOK) + assert.NoError(t, err) + assert.False(t, admin.Filters.AllowAPIKeyAuth) + + _, err = httpdtest.RemoveAdmin(admin, http.StatusOK) + assert.NoError(t, err) + + form = make(url.Values) + form.Set(csrfFormToken, csrfToken) + req, _ = http.NewRequest(http.MethodPost, webChangeAdminAPIKeyAccessPath, bytes.NewBuffer([]byte(form.Encode()))) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + setJWTCookieForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusInternalServerError, rr) +} + func TestWebAdminPwdChange(t *testing.T) { admin := getTestAdmin() admin.Username = altAdminUsername @@ -7059,7 +7583,8 @@ func TestWebAdminPwdChange(t *testing.T) { assert.NoError(t, err) csrfToken, err := getCSRFToken(httpBaseURL + webLoginPath) assert.NoError(t, err) - req, _ := http.NewRequest(http.MethodGet, webChangeAdminPwdPath, nil) + req, err := http.NewRequest(http.MethodGet, webAdminCredentialsPath, nil) + assert.NoError(t, err) setJWTCookieForReq(req, token) rr := executeRequest(req) checkResponseCode(t, http.StatusOK, rr) @@ -7096,6 +7621,389 @@ func TestWebAdminPwdChange(t *testing.T) { assert.NoError(t, err) } +func TestAPIKeysManagement(t *testing.T) { + admin := getTestAdmin() + admin.Username = altAdminUsername + admin.Password = altAdminPassword + admin, _, err := httpdtest.AddAdmin(admin, http.StatusCreated) + assert.NoError(t, err) + token, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass) + assert.NoError(t, err) + apiKey := dataprovider.APIKey{ + Name: "test key", + Scope: dataprovider.APIKeyScopeAdmin, + } + asJSON, err := json.Marshal(apiKey) + assert.NoError(t, err) + req, err := http.NewRequest(http.MethodPost, apiKeysPath, bytes.NewBuffer(asJSON)) + assert.NoError(t, err) + setBearerForReq(req, token) + rr := executeRequest(req) + checkResponseCode(t, http.StatusCreated, rr) + location := rr.Header().Get("Location") + assert.NotEmpty(t, location) + objectID := rr.Header().Get("X-Object-ID") + assert.NotEmpty(t, objectID) + assert.Equal(t, fmt.Sprintf("%v/%v", apiKeysPath, objectID), location) + apiKey.KeyID = objectID + response := make(map[string]string) + err = json.Unmarshal(rr.Body.Bytes(), &response) + assert.NoError(t, err) + key := response["key"] + assert.NotEmpty(t, key) + assert.True(t, strings.HasPrefix(key, apiKey.KeyID+".")) + + req, err = http.NewRequest(http.MethodGet, location, nil) + assert.NoError(t, err) + setBearerForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + var keyGet dataprovider.APIKey + err = json.Unmarshal(rr.Body.Bytes(), &keyGet) + assert.NoError(t, err) + assert.Empty(t, keyGet.Key) + assert.Equal(t, apiKey.KeyID, keyGet.KeyID) + assert.Equal(t, apiKey.Scope, keyGet.Scope) + assert.Equal(t, apiKey.Name, keyGet.Name) + assert.Equal(t, int64(0), keyGet.ExpiresAt) + assert.Equal(t, int64(0), keyGet.LastUseAt) + assert.Greater(t, keyGet.CreatedAt, int64(0)) + assert.Greater(t, keyGet.UpdatedAt, int64(0)) + assert.Empty(t, keyGet.Description) + assert.Empty(t, keyGet.User) + assert.Empty(t, keyGet.Admin) + + // API key is not enabled for the admin user so this request should fail + req, err = http.NewRequest(http.MethodGet, versionPath, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, key, admin.Username) + rr = executeRequest(req) + checkResponseCode(t, http.StatusUnauthorized, rr) + assert.Contains(t, rr.Body.String(), "the admin associated with the provided api key cannot be authenticated") + + admin.Filters.AllowAPIKeyAuth = true + admin, _, err = httpdtest.UpdateAdmin(admin, http.StatusOK) + assert.NoError(t, err) + req, err = http.NewRequest(http.MethodGet, versionPath, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, key, admin.Username) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + + req, err = http.NewRequest(http.MethodGet, versionPath, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, key, admin.Username+"1") + rr = executeRequest(req) + checkResponseCode(t, http.StatusUnauthorized, rr) + + req, err = http.NewRequest(http.MethodGet, versionPath, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, key, "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusUnauthorized, rr) + + // now associate the key directly to the admin + apiKey.Admin = admin.Username + apiKey.Description = "test description" + asJSON, err = json.Marshal(apiKey) + assert.NoError(t, err) + req, err = http.NewRequest(http.MethodPut, location, bytes.NewBuffer(asJSON)) + assert.NoError(t, err) + setBearerForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + + req, err = http.NewRequest(http.MethodGet, apiKeysPath, nil) + assert.NoError(t, err) + setBearerForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + var keys []dataprovider.APIKey + err = json.Unmarshal(rr.Body.Bytes(), &keys) + assert.NoError(t, err) + if assert.GreaterOrEqual(t, len(keys), 1) { + found := false + for _, k := range keys { + if k.KeyID == apiKey.KeyID { + found = true + assert.Empty(t, k.Key) + assert.Equal(t, apiKey.Scope, k.Scope) + assert.Equal(t, apiKey.Name, k.Name) + assert.Equal(t, int64(0), k.ExpiresAt) + assert.Greater(t, k.LastUseAt, int64(0)) + assert.Equal(t, k.CreatedAt, keyGet.CreatedAt) + assert.Greater(t, k.UpdatedAt, keyGet.UpdatedAt) + assert.Equal(t, apiKey.Description, k.Description) + assert.Empty(t, k.User) + assert.Equal(t, admin.Username, k.Admin) + } + } + assert.True(t, found) + } + req, err = http.NewRequest(http.MethodGet, versionPath, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, key, "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + // invalid API keys + req, err = http.NewRequest(http.MethodGet, versionPath, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, key+"invalid", "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusUnauthorized, rr) + assert.Contains(t, rr.Body.String(), "the provided api key cannot be authenticated") + req, err = http.NewRequest(http.MethodGet, versionPath, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, "invalid", "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusBadRequest, rr) + // using an API key we cannot modify/get API keys + req, err = http.NewRequest(http.MethodPut, location, bytes.NewBuffer(asJSON)) + assert.NoError(t, err) + setAPIKeyForReq(req, key, "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusForbidden, rr) + + req, err = http.NewRequest(http.MethodGet, location, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, key, "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusForbidden, rr) + + admin.Filters.AllowList = []string{"172.16.18.0/24"} + admin, _, err = httpdtest.UpdateAdmin(admin, http.StatusOK) + assert.NoError(t, err) + req, err = http.NewRequest(http.MethodGet, versionPath, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, key, "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusUnauthorized, rr) + + req, err = http.NewRequest(http.MethodDelete, location, nil) + assert.NoError(t, err) + setBearerForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + + req, err = http.NewRequest(http.MethodGet, versionPath, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, key, "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusBadRequest, rr) + assert.Contains(t, rr.Body.String(), "the provided api key is not valid") + + _, err = httpdtest.RemoveAdmin(admin, http.StatusOK) + assert.NoError(t, err) +} + +func TestAPIKeySearch(t *testing.T) { + token, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass) + assert.NoError(t, err) + apiKey := dataprovider.APIKey{ + Scope: dataprovider.APIKeyScopeAdmin, + } + for i := 1; i < 5; i++ { + apiKey.Name = fmt.Sprintf("testapikey%v", i) + asJSON, err := json.Marshal(apiKey) + assert.NoError(t, err) + req, err := http.NewRequest(http.MethodPost, apiKeysPath, bytes.NewBuffer(asJSON)) + assert.NoError(t, err) + setBearerForReq(req, token) + rr := executeRequest(req) + checkResponseCode(t, http.StatusCreated, rr) + } + + req, err := http.NewRequest(http.MethodGet, apiKeysPath+"?limit=1&order=ASC", nil) + assert.NoError(t, err) + setBearerForReq(req, token) + rr := executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + var keys []dataprovider.APIKey + err = json.Unmarshal(rr.Body.Bytes(), &keys) + assert.NoError(t, err) + assert.Len(t, keys, 1) + firstKey := keys[0] + + req, err = http.NewRequest(http.MethodGet, apiKeysPath+"?limit=1&order=DESC", nil) + assert.NoError(t, err) + setBearerForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + keys = nil + err = json.Unmarshal(rr.Body.Bytes(), &keys) + assert.NoError(t, err) + if assert.Len(t, keys, 1) { + assert.NotEqual(t, firstKey.KeyID, keys[0].KeyID) + } + + req, err = http.NewRequest(http.MethodGet, apiKeysPath+"?limit=1&offset=100", nil) + assert.NoError(t, err) + setBearerForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + keys = nil + err = json.Unmarshal(rr.Body.Bytes(), &keys) + assert.NoError(t, err) + assert.Len(t, keys, 0) + + req, err = http.NewRequest(http.MethodGet, apiKeysPath+"?limit=a", nil) + assert.NoError(t, err) + setBearerForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusBadRequest, rr) + + req, err = http.NewRequest(http.MethodGet, fmt.Sprintf("%v/%v", apiKeysPath, "missingid"), nil) + assert.NoError(t, err) + setBearerForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusNotFound, rr) + + req, err = http.NewRequest(http.MethodGet, apiKeysPath, nil) + assert.NoError(t, err) + setBearerForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + keys = nil + err = json.Unmarshal(rr.Body.Bytes(), &keys) + assert.NoError(t, err) + counter := 0 + for _, k := range keys { + if strings.HasPrefix(k.Name, "testapikey") { + req, err = http.NewRequest(http.MethodDelete, fmt.Sprintf("%v/%v", apiKeysPath, k.KeyID), nil) + assert.NoError(t, err) + setBearerForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + counter++ + } + } + assert.Equal(t, 4, counter) +} + +func TestAPIKeyErrors(t *testing.T) { + token, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass) + assert.NoError(t, err) + apiKey := dataprovider.APIKey{ + Name: "testkey", + Scope: dataprovider.APIKeyScopeUser, + } + asJSON, err := json.Marshal(apiKey) + assert.NoError(t, err) + req, err := http.NewRequest(http.MethodPost, apiKeysPath, bytes.NewBuffer(asJSON)) + assert.NoError(t, err) + setBearerForReq(req, token) + rr := executeRequest(req) + checkResponseCode(t, http.StatusCreated, rr) + location := rr.Header().Get("Location") + assert.NotEmpty(t, location) + + // invalid API scope + apiKey.Scope = 1000 + asJSON, err = json.Marshal(apiKey) + assert.NoError(t, err) + req, err = http.NewRequest(http.MethodPost, apiKeysPath, bytes.NewBuffer(asJSON)) + assert.NoError(t, err) + setBearerForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusBadRequest, rr) + + req, err = http.NewRequest(http.MethodPut, location, bytes.NewBuffer(asJSON)) + assert.NoError(t, err) + setBearerForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusBadRequest, rr) + + // invalid JSON + req, err = http.NewRequest(http.MethodPost, apiKeysPath, bytes.NewBuffer([]byte(`invalid JSON`))) + assert.NoError(t, err) + setBearerForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusBadRequest, rr) + + req, err = http.NewRequest(http.MethodPut, location, bytes.NewBuffer([]byte(`invalid JSON`))) + assert.NoError(t, err) + setBearerForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusBadRequest, rr) + + req, err = http.NewRequest(http.MethodDelete, location, nil) + assert.NoError(t, err) + setBearerForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + + req, err = http.NewRequest(http.MethodDelete, location, nil) + assert.NoError(t, err) + setBearerForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusNotFound, rr) + + req, err = http.NewRequest(http.MethodPut, location, bytes.NewBuffer(asJSON)) + assert.NoError(t, err) + setBearerForReq(req, token) + rr = executeRequest(req) + checkResponseCode(t, http.StatusNotFound, rr) +} + +func TestAPIKeyOnDeleteCascade(t *testing.T) { + user, _, err := httpdtest.AddUser(getTestUser(), http.StatusCreated) + assert.NoError(t, err) + admin := getTestAdmin() + admin.Username = altAdminUsername + admin.Password = altAdminPassword + admin, _, err = httpdtest.AddAdmin(admin, http.StatusCreated) + assert.NoError(t, err) + + apiKey := dataprovider.APIKey{ + Name: "user api key", + Scope: dataprovider.APIKeyScopeUser, + User: user.Username, + } + + apiKey, _, err = httpdtest.AddAPIKey(apiKey, http.StatusCreated) + assert.NoError(t, err) + + req, err := http.NewRequest(http.MethodGet, userDirsPath, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKey.Key, "") + rr := executeRequest(req) + checkResponseCode(t, http.StatusUnauthorized, rr) + + user.Filters.AllowAPIKeyAuth = true + user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "") + assert.NoError(t, err) + req, err = http.NewRequest(http.MethodGet, userDirsPath, nil) + assert.NoError(t, err) + setAPIKeyForReq(req, apiKey.Key, "") + rr = executeRequest(req) + checkResponseCode(t, http.StatusOK, rr) + var contents []map[string]interface{} + err = json.NewDecoder(rr.Body).Decode(&contents) + assert.NoError(t, err) + assert.Len(t, contents, 0) + + _, err = httpdtest.RemoveUser(user, http.StatusOK) + assert.NoError(t, err) + err = os.RemoveAll(user.GetHomeDir()) + assert.NoError(t, err) + + _, _, err = httpdtest.GetAPIKeyByID(apiKey.KeyID, http.StatusNotFound) + assert.NoError(t, err) + + apiKey.User = "" + apiKey.Admin = admin.Username + apiKey.Scope = dataprovider.APIKeyScopeAdmin + + apiKey, _, err = httpdtest.AddAPIKey(apiKey, http.StatusCreated) + assert.NoError(t, err) + + _, err = httpdtest.RemoveAdmin(admin, http.StatusOK) + assert.NoError(t, err) + + _, _, err = httpdtest.GetAPIKeyByID(apiKey.KeyID, http.StatusNotFound) + assert.NoError(t, err) +} + func TestBasicWebUsersMock(t *testing.T) { token, err := getJWTAPITokenFromTestServer(defaultTokenAuthUser, defaultTokenAuthPass) assert.NoError(t, err) @@ -7515,9 +8423,17 @@ func TestWebMaintenanceMock(t *testing.T) { admin := getTestAdmin() admin.ID = 1 admin.Username = "test_admin_web_restore" + + apiKey := dataprovider.APIKey{ + Name: "key name", + KeyID: shortuuid.New(), + Key: fmt.Sprintf("%v.%v", shortuuid.New(), shortuuid.New()), + Scope: dataprovider.APIKeyScopeAdmin, + } backupData := dataprovider.BackupData{} backupData.Users = append(backupData.Users, user) backupData.Admins = append(backupData.Admins, admin) + backupData.APIKeys = append(backupData.APIKeys, apiKey) backupContent, err := json.Marshal(backupData) assert.NoError(t, err) err = os.WriteFile(backupFilePath, backupContent, os.ModePerm) @@ -7540,6 +8456,14 @@ func TestWebMaintenanceMock(t *testing.T) { assert.NoError(t, err) _, err = httpdtest.RemoveAdmin(admin, http.StatusOK) assert.NoError(t, err) + + _, _, err = httpdtest.GetAPIKeyByID(apiKey.KeyID, http.StatusOK) + assert.NoError(t, err) + _, err = httpdtest.RemoveAPIKey(apiKey, http.StatusOK) + assert.NoError(t, err) + + err = os.Remove(backupFilePath) + assert.NoError(t, err) } func TestWebUserAddMock(t *testing.T) { @@ -7766,6 +8690,7 @@ func TestWebUserAddMock(t *testing.T) { assert.False(t, newUser.Filters.Hooks.PreLoginDisabled) assert.False(t, newUser.Filters.Hooks.CheckPasswordDisabled) assert.True(t, newUser.Filters.DisableFsChecks) + assert.False(t, newUser.Filters.AllowAPIKeyAuth) assert.True(t, util.IsStringInSlice(testPubKey, newUser.PublicKeys)) if val, ok := newUser.Permissions["/subdir"]; ok { assert.True(t, util.IsStringInSlice(dataprovider.PermListItems, val)) @@ -7837,6 +8762,7 @@ func TestWebUserUpdateMock(t *testing.T) { user.QuotaFiles = 2 user.QuotaSize = 3 user.GID = 1000 + user.Filters.AllowAPIKeyAuth = true user.AdditionalInfo = "new additional info" form := make(url.Values) form.Set("username", user.Username) @@ -7868,6 +8794,7 @@ func TestWebUserUpdateMock(t *testing.T) { form.Set("additional_info", user.AdditionalInfo) form.Set("description", user.Description) form.Set("tls_username", string(sdk.TLSUsernameCN)) + form.Set("allow_api_key_auth", "1") b, contentType, _ := getMultipartFormData(form, "", "") req, _ = http.NewRequest(http.MethodPost, path.Join(webUserPath, user.Username), &b) setJWTCookieForReq(req, webToken) @@ -7931,6 +8858,7 @@ func TestWebUserUpdateMock(t *testing.T) { assert.Equal(t, user.Description, updateUser.Description) assert.Equal(t, int64(100), updateUser.Filters.MaxUploadFileSize) assert.Equal(t, sdk.TLSUsernameCN, updateUser.Filters.TLSUsername) + assert.True(t, updateUser.Filters.AllowAPIKeyAuth) if val, ok := updateUser.Permissions["/otherdir"]; ok { assert.True(t, util.IsStringInSlice(dataprovider.PermListItems, val)) @@ -8464,6 +9392,7 @@ func TestWebUserS3Mock(t *testing.T) { form.Set("s3_force_path_style", "checked") form.Set("description", user.Description) form.Add("hooks", "pre_login_disabled") + form.Add("allow_api_key_auth", "1") // test invalid s3_upload_part_size form.Set("s3_upload_part_size", "a") b, contentType, _ := getMultipartFormData(form, "", "") @@ -8546,6 +9475,7 @@ func TestWebUserS3Mock(t *testing.T) { assert.False(t, updateUser.Filters.Hooks.ExternalAuthDisabled) assert.False(t, updateUser.Filters.Hooks.CheckPasswordDisabled) assert.False(t, updateUser.Filters.DisableFsChecks) + assert.True(t, updateUser.Filters.AllowAPIKeyAuth) // now check that a redacted password is not saved form.Set("s3_access_secret", redactedSecret) b, contentType, _ = getMultipartFormData(form, "", "") @@ -9749,6 +10679,13 @@ func setBearerForReq(req *http.Request, jwtToken string) { req.Header.Set("Authorization", fmt.Sprintf("Bearer %v", jwtToken)) } +func setAPIKeyForReq(req *http.Request, apiKey, username string) { + if username != "" { + apiKey += "." + username + } + req.Header.Set("X-SFTPGO-API-KEY", apiKey) +} + func setJWTCookieForReq(req *http.Request, jwtToken string) { req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", jwtToken)) } diff --git a/httpd/internal_test.go b/httpd/internal_test.go index 7003d3d3..0e1ce667 100644 --- a/httpd/internal_test.go +++ b/httpd/internal_test.go @@ -516,7 +516,9 @@ func TestCreateTokenError(t *testing.T) { req.Header.Set("Content-Type", "application/x-www-form-urlencoded") rr = httptest.NewRecorder() handleWebAdminChangePwdPost(rr, req) - assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String()) + // the claim is invalid so we fail to render the client page since + // we have to load the logged admin + assert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String()) req, _ = http.NewRequest(http.MethodGet, webLoginPath+"?a=a%C3%A2%G3", nil) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") @@ -541,6 +543,18 @@ func TestCreateTokenError(t *testing.T) { handleWebClientManageKeysPost(rr, req) assert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String()) + req, _ = http.NewRequest(http.MethodPost, webChangeClientAPIKeyAccessPath+"?a=a%C3%AO%GA", bytes.NewBuffer([]byte(form.Encode()))) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + rr = httptest.NewRecorder() + handleWebClientManageAPIKeyPost(rr, req) + assert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String()) + + req, _ = http.NewRequest(http.MethodPost, webChangeAdminAPIKeyAccessPath+"?a=a%C3%AO%GB", bytes.NewBuffer([]byte(form.Encode()))) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + rr = httptest.NewRecorder() + handleWebAdminManageAPIKeyPost(rr, req) + assert.Equal(t, http.StatusInternalServerError, rr.Code, rr.Body.String()) + username := "webclientuser" user = dataprovider.User{ BaseUser: sdk.BaseUser{ @@ -552,7 +566,8 @@ func TestCreateTokenError(t *testing.T) { }, } user.Permissions = make(map[string][]string) - user.Permissions["/"] = []string{"*"} + user.Permissions["/"] = []string{dataprovider.PermAny} + user.Filters.AllowAPIKeyAuth = true err = dataprovider.AddUser(&user) assert.NoError(t, err) @@ -567,8 +582,34 @@ func TestCreateTokenError(t *testing.T) { server.handleWebClientLoginPost(rr, req) assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String()) + err = authenticateUserWithAPIKey(username, "", server.tokenAuth, req) + assert.Error(t, err) + err = dataprovider.DeleteUser(username) assert.NoError(t, err) + + admin.Username += "1" + admin.Status = 1 + admin.Filters.AllowAPIKeyAuth = true + admin.Permissions = []string{dataprovider.PermAdminAny} + err = dataprovider.AddAdmin(&admin) + assert.NoError(t, err) + + err = authenticateAdminWithAPIKey(admin.Username, "", server.tokenAuth, req) + assert.Error(t, err) + + err = dataprovider.DeleteAdmin(admin.Username) + assert.NoError(t, err) +} + +func TestAPIKeyAuthForbidden(t *testing.T) { + r := GetHTTPRouter() + fn := forbidAPIKeyAuthentication(r) + rr := httptest.NewRecorder() + req, _ := http.NewRequest(http.MethodGet, versionPath, nil) + fn.ServeHTTP(rr, req) + assert.Equal(t, http.StatusBadRequest, rr.Code) + assert.Contains(t, rr.Body.String(), "Invalid token claims") } func TestJWTTokenValidation(t *testing.T) { @@ -1594,7 +1635,7 @@ func TestGetFilesInvalidClaims(t *testing.T) { assert.Contains(t, rr.Body.String(), "Invalid token claims") } -func TestManageKeysInvalidClaims(t *testing.T) { +func TestInvalidClaims(t *testing.T) { server := httpdServer{} server.initializeRouter() @@ -1620,7 +1661,35 @@ func TestManageKeysInvalidClaims(t *testing.T) { req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"])) handleWebClientManageKeysPost(rr, req) assert.Equal(t, http.StatusInternalServerError, rr.Code) - assert.Contains(t, rr.Body.String(), "Invalid token claims") + + form = make(url.Values) + form.Set(csrfFormToken, createCSRFToken()) + form.Set("allow_api_key_auth", "") + req, _ = http.NewRequest(http.MethodPost, webChangeClientKeysPath, bytes.NewBuffer([]byte(form.Encode()))) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"])) + handleWebClientManageAPIKeyPost(rr, req) + assert.Equal(t, http.StatusInternalServerError, rr.Code) + + admin := dataprovider.Admin{ + Username: "", + Password: user.Password, + } + c = jwtTokenClaims{ + Username: admin.Username, + Permissions: nil, + Signature: admin.GetSignature(), + } + token, err = c.createTokenResponse(server.tokenAuth, tokenAudienceWebAdmin) + assert.NoError(t, err) + form = make(url.Values) + form.Set(csrfFormToken, createCSRFToken()) + form.Set("allow_api_key_auth", "") + req, _ = http.NewRequest(http.MethodPost, webChangeClientKeysPath, bytes.NewBuffer([]byte(form.Encode()))) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + req.Header.Set("Cookie", fmt.Sprintf("jwt=%v", token["access_token"])) + handleWebAdminManageAPIKeyPost(rr, req) + assert.Equal(t, http.StatusInternalServerError, rr.Code) } func TestTLSReq(t *testing.T) { diff --git a/httpd/middleware.go b/httpd/middleware.go index 90cab4a3..f72fa27f 100644 --- a/httpd/middleware.go +++ b/httpd/middleware.go @@ -2,14 +2,21 @@ package httpd import ( "errors" + "fmt" "net/http" "runtime/debug" + "strings" + "time" "github.com/go-chi/chi/v5/middleware" "github.com/go-chi/jwtauth/v5" "github.com/lestrrat-go/jwx/jwt" + "github.com/rs/xid" + "github.com/drakkan/sftpgo/v2/common" + "github.com/drakkan/sftpgo/v2/dataprovider" "github.com/drakkan/sftpgo/v2/logger" + "github.com/drakkan/sftpgo/v2/sdk" "github.com/drakkan/sftpgo/v2/util" ) @@ -201,6 +208,88 @@ func verifyCSRFHeader(next http.Handler) http.Handler { }) } +func checkAPIKeyAuth(tokenAuth *jwtauth.JWTAuth, scope dataprovider.APIKeyScope) func(next http.Handler) http.Handler { + return func(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + apiKey := r.Header.Get("X-SFTPGO-API-KEY") + if apiKey == "" { + next.ServeHTTP(w, r) + return + } + keyParams := strings.SplitN(apiKey, ".", 3) + if len(keyParams) < 2 { + logger.Debug(logSender, "", "invalid api key %#v", apiKey) + sendAPIResponse(w, r, errors.New("the provided api key is not valid"), "", http.StatusBadRequest) + return + } + keyID := keyParams[0] + key := keyParams[1] + apiUser := "" + if len(keyParams) > 2 { + apiUser = keyParams[2] + } + + k, err := dataprovider.APIKeyExists(keyID) + if err != nil { + logger.Debug(logSender, "invalid api key %#v: %v", apiKey, err) + sendAPIResponse(w, r, errors.New("the provided api key is not valid"), "", http.StatusBadRequest) + return + } + if err := k.Authenticate(key); err != nil { + logger.Debug(logSender, "unable to authenticate api key %#v: %v", apiKey, err) + sendAPIResponse(w, r, fmt.Errorf("the provided api key cannot be authenticated"), "", http.StatusUnauthorized) + return + } + if scope == dataprovider.APIKeyScopeAdmin { + if k.Admin != "" { + apiUser = k.Admin + } + if err := authenticateAdminWithAPIKey(apiUser, keyID, tokenAuth, r); err != nil { + logger.Debug(logSender, "", "unable to authenticate admin %#v associated with api key %#v: %v", + apiUser, apiKey, err) + sendAPIResponse(w, r, fmt.Errorf("the admin associated with the provided api key cannot be authenticated"), + "", http.StatusUnauthorized) + return + } + } else { + if k.User != "" { + apiUser = k.User + } + if err := authenticateUserWithAPIKey(apiUser, keyID, tokenAuth, r); err != nil { + logger.Debug(logSender, "", "unable to authenticate user %#v associated with api key %#v: %v", + apiUser, apiKey, err) + code := http.StatusUnauthorized + if errors.Is(err, common.ErrInternalFailure) { + code = http.StatusInternalServerError + } + sendAPIResponse(w, r, errors.New("the user associated with the provided api key cannot be authenticated"), + "", code) + return + } + } + dataprovider.UpdateAPIKeyLastUse(&k) //nolint:errcheck + + next.ServeHTTP(w, r) + }) + } +} + +func forbidAPIKeyAuthentication(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + claims, err := getTokenClaims(r) + if err != nil || claims.Username == "" { + sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest) + return + } + if claims.APIKeyID != "" { + sendAPIResponse(w, r, nil, "API key authentication is not allowed", http.StatusForbidden) + return + } + + next.ServeHTTP(w, r) + }) +} + func recoverer(next http.Handler) http.Handler { fn := func(w http.ResponseWriter, r *http.Request) { defer func() { @@ -225,3 +314,91 @@ func recoverer(next http.Handler) http.Handler { return http.HandlerFunc(fn) } + +func authenticateAdminWithAPIKey(username, keyID string, tokenAuth *jwtauth.JWTAuth, r *http.Request) error { + if username == "" { + return errors.New("the provided key is not associated with any admin and no username was provided") + } + admin, err := dataprovider.AdminExists(username) + if err != nil { + return err + } + if !admin.Filters.AllowAPIKeyAuth { + return fmt.Errorf("API key authentication disabled for admin %#v", admin.Username) + } + if err := admin.CanLogin(util.GetIPFromRemoteAddress(r.RemoteAddr)); err != nil { + return err + } + c := jwtTokenClaims{ + Username: admin.Username, + Permissions: admin.Permissions, + Signature: admin.GetSignature(), + APIKeyID: keyID, + } + + resp, err := c.createTokenResponse(tokenAuth, tokenAudienceAPI) + if err != nil { + return err + } + r.Header.Set("Authorization", fmt.Sprintf("Bearer %v", resp["access_token"])) + + return nil +} + +func authenticateUserWithAPIKey(username, keyID string, tokenAuth *jwtauth.JWTAuth, r *http.Request) error { + ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr) + if username == "" { + err := errors.New("the provided key is not associated with any user and no username was provided") + updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, ipAddr, err) + return err + } + if err := common.Config.ExecutePostConnectHook(ipAddr, common.ProtocolHTTP); err != nil { + return err + } + user, err := dataprovider.UserExists(username) + if err != nil { + updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}}, ipAddr, err) + return err + } + if !user.Filters.AllowAPIKeyAuth { + err := fmt.Errorf("API key authentication disabled for user %#v", user.Username) + updateLoginMetrics(&user, ipAddr, err) + return err + } + if err := user.CheckLoginConditions(); err != nil { + updateLoginMetrics(&user, ipAddr, err) + return err + } + connectionID := fmt.Sprintf("%v_%v", common.ProtocolHTTP, xid.New().String()) + if err := checkHTTPClientUser(&user, r, connectionID); err != nil { + updateLoginMetrics(&user, ipAddr, err) + return err + } + lastLogin := util.GetTimeFromMsecSinceEpoch(user.LastLogin) + diff := -time.Until(lastLogin) + if diff < 0 || diff > 10*time.Minute { + defer user.CloseFs() //nolint:errcheck + err = user.CheckFsRoot(connectionID) + if err != nil { + updateLoginMetrics(&user, ipAddr, common.ErrInternalFailure) + return common.ErrInternalFailure + } + } + c := jwtTokenClaims{ + Username: user.Username, + Permissions: user.Filters.WebClient, + Signature: user.GetSignature(), + APIKeyID: keyID, + } + + resp, err := c.createTokenResponse(tokenAuth, tokenAudienceAPIUser) + if err != nil { + updateLoginMetrics(&user, ipAddr, common.ErrInternalFailure) + return err + } + r.Header.Set("Authorization", fmt.Sprintf("Bearer %v", resp["access_token"])) + dataprovider.UpdateLastLogin(&user) //nolint:errcheck + updateLoginMetrics(&user, ipAddr, nil) + + return nil +} diff --git a/httpd/schema/openapi.yaml b/httpd/schema/openapi.yaml index c7d6b949..78c3bfa6 100644 --- a/httpd/schema/openapi.yaml +++ b/httpd/schema/openapi.yaml @@ -4,6 +4,7 @@ tags: - name: token - name: maintenance - name: admins + - name: API keys - name: connections - name: defender - name: quota @@ -28,6 +29,7 @@ servers: - url: /api/v2 security: - BearerAuth: [] + - APIKeyAuth: [] paths: /healthz: get: @@ -73,6 +75,8 @@ paths: $ref: '#/components/responses/DefaultResponse' /logout: get: + security: + - BearerAuth: [] tags: - token summary: Invalidate an admin access token @@ -119,6 +123,8 @@ paths: $ref: '#/components/responses/DefaultResponse' /user/logout: get: + security: + - BearerAuth: [] tags: - token summary: Invalidate a user access token @@ -163,6 +169,8 @@ paths: $ref: '#/components/responses/DefaultResponse' /changepwd/admin: put: + security: + - BearerAuth: [] tags: - admins summary: Change admin password @@ -192,6 +200,8 @@ paths: $ref: '#/components/responses/DefaultResponse' /admin/changepwd: put: + security: + - BearerAuth: [] tags: - admins summary: Change admin password @@ -1123,6 +1133,207 @@ paths: $ref: '#/components/responses/InternalServerError' default: $ref: '#/components/responses/DefaultResponse' + /apikeys: + get: + security: + - BearerAuth: [] + tags: + - API keys + summary: Get API keys + description: Returns an array with one or more API keys. For security reasons hashed keys are omitted in the response + operationId: get_api_keys + parameters: + - in: query + name: offset + schema: + type: integer + minimum: 0 + default: 0 + required: false + - in: query + name: limit + schema: + type: integer + minimum: 1 + maximum: 500 + default: 100 + required: false + description: 'The maximum number of items to return. Max value is 500, default is 100' + - in: query + name: order + required: false + description: Ordering API keys by id. Default ASC + schema: + type: string + enum: + - ASC + - DESC + example: ASC + responses: + '200': + description: successful operation + content: + application/json: + schema: + type: array + items: + $ref: '#/components/schemas/APIKey' + '400': + $ref: '#/components/responses/BadRequest' + '401': + $ref: '#/components/responses/Unauthorized' + '403': + $ref: '#/components/responses/Forbidden' + '500': + $ref: '#/components/responses/InternalServerError' + default: + $ref: '#/components/responses/DefaultResponse' + post: + security: + - BearerAuth: [] + tags: + - API keys + summary: Add API key + description: Adds a new API key + operationId: add_api_key + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/APIKey' + responses: + '201': + description: successful operation + headers: + X-Object-ID: + schema: + type: string + description: ID for the new created API key + Location: + schema: + type: string + description: URL to retrieve the details for the new created API key + content: + application/json: + schema: + type: object + properties: + mesage: + type: string + example: 'API key created. This is the only time the API key is visible, please save it.' + key: + type: string + description: 'generated API key' + '400': + $ref: '#/components/responses/BadRequest' + '401': + $ref: '#/components/responses/Unauthorized' + '403': + $ref: '#/components/responses/Forbidden' + '500': + $ref: '#/components/responses/InternalServerError' + default: + $ref: '#/components/responses/DefaultResponse' + '/apikeys/{id}': + parameters: + - name: id + in: path + description: the key id + required: true + schema: + type: string + get: + security: + - BearerAuth: [] + tags: + - API keys + summary: Find API key by id + description: Returns the API key with the given id, if it exists. For security reasons the hashed key is omitted in the response + operationId: get_api_key_by_id + responses: + '200': + description: successful operation + content: + application/json: + schema: + $ref: '#/components/schemas/APIKey' + '400': + $ref: '#/components/responses/BadRequest' + '401': + $ref: '#/components/responses/Unauthorized' + '403': + $ref: '#/components/responses/Forbidden' + '404': + $ref: '#/components/responses/NotFound' + '500': + $ref: '#/components/responses/InternalServerError' + default: + $ref: '#/components/responses/DefaultResponse' + put: + security: + - BearerAuth: [] + tags: + - API keys + summary: Update API key + description: Updates an existing API key. You cannot update the key itself, the creation date and the last use + operationId: update_api_key + requestBody: + required: true + content: + application/json: + schema: + $ref: '#/components/schemas/APIKey' + responses: + '200': + description: successful operation + content: + application/json: + schema: + $ref: '#/components/schemas/ApiResponse' + example: + message: API key updated + '400': + $ref: '#/components/responses/BadRequest' + '401': + $ref: '#/components/responses/Unauthorized' + '403': + $ref: '#/components/responses/Forbidden' + '404': + $ref: '#/components/responses/NotFound' + '500': + $ref: '#/components/responses/InternalServerError' + default: + $ref: '#/components/responses/DefaultResponse' + delete: + security: + - BearerAuth: [] + tags: + - API keys + summary: Delete API key + description: Deletes an existing API key + operationId: delete_api_key + responses: + '200': + description: successful operation + content: + application/json: + schema: + $ref: '#/components/schemas/ApiResponse' + example: + message: Admin deleted + '400': + $ref: '#/components/responses/BadRequest' + '401': + $ref: '#/components/responses/Unauthorized' + '403': + $ref: '#/components/responses/Forbidden' + '404': + $ref: '#/components/responses/NotFound' + '500': + $ref: '#/components/responses/InternalServerError' + default: + $ref: '#/components/responses/DefaultResponse' /admins: get: tags: @@ -1258,7 +1469,7 @@ paths: tags: - admins summary: Update admin - description: Updates an existing admin + description: Updates an existing admin. You are not allowed to update the admin impersonated using an API key operationId: update_admin requestBody: required: true @@ -1605,9 +1816,9 @@ paths: - 2 description: | Mode: - * `0` New users/admins are added, existing users/admins are updated. This is the default - * `1` New users/admins are added, existing users/admins are not modified - * `2` New users are added, existing users are updated and, if connected, they are disconnected and so forced to use the new configuration + * `0` New users/admins/API keys are added, existing ones are updated. This is the default + * `1` New users/admins/API keys are added, existing ones are not modified + * `2` New users/admins/API keys are added, existing ones are updated and connected users are disconnected and so forced to use the new configuration get: tags: - maintenance @@ -1673,6 +1884,8 @@ paths: $ref: '#/components/responses/DefaultResponse' /user/changepwd: put: + security: + - BearerAuth: [] tags: - users API summary: Change user password @@ -1701,6 +1914,8 @@ paths: $ref: '#/components/responses/DefaultResponse' /user/publickeys: get: + security: + - BearerAuth: [] tags: - users API summary: Get the user's public keys @@ -1726,6 +1941,8 @@ paths: default: $ref: '#/components/responses/DefaultResponse' put: + security: + - BearerAuth: [] tags: - users API summary: Set the user's public keys @@ -2248,6 +2465,7 @@ components: - close_conns - view_status - manage_admins + - manage_apikeys - quota_scans - manage_system - manage_defender @@ -2263,6 +2481,7 @@ components: * `close_conns` - close active connections is allowed * `view_status` - view the server status is allowed * `manage_admins` - manage other admins is allowed + * `manage_apikeys` - manage API keys is allowed * `manage_defender` - remove ip from the dynamic blocklist is allowed * `view_defender` - list the dynamic blocklist is allowed LoginMethods: @@ -2306,6 +2525,15 @@ components: Options: * `publickey-change-disabled` - changing SSH public keys is not allowed * `write-disabled` - upload, rename, delete are not allowed even if the user has permissions for these actions + APIKeyScope: + type: integer + enum: + - 1 + - 2 + description: | + Options: + * `1` - admin scope. The API key will be used to impersonate an SFTPGo admin + * `2` - user scope. The API key will be used to impersonate an SFTPGo user PatternsFilter: type: object properties: @@ -2397,6 +2625,9 @@ components: items: $ref: '#/components/schemas/WebClientOptions' description: WebClient/user REST API related configuration options + allow_api_key_auth: + type: boolean + description: 'API key authentication allows to impersonate this user with an API key' description: Additional user options Secret: type: object @@ -2760,6 +2991,9 @@ components: example: - 192.0.2.0/24 - '2001:db8::/32' + allow_api_key_auth: + type: boolean + description: 'API key auth allows to impersonate this administrator with an API key' Admin: type: object properties: @@ -2798,6 +3032,46 @@ components: additional_info: type: string description: Free form text field + APIKey: + type: object + properties: + id: + type: string + description: unique key identifier + name: + type: string + description: User friendly key name + key: + type: string + format: password + description: We store the hash of the key. This is just like a password. For security reasons this field is omitted when you search/get API keys + scope: + $ref: '#/components/schemas/APIKeyScope' + created_at: + type: integer + format: int64 + description: creation time as unix timestamp in milliseconds + updated_at: + type: integer + format: int64 + description: last update time as unix timestamp in milliseconds + last_use_at: + type: integer + format: int64 + description: last use time as unix timestamp in milliseconds. It is saved at most once every 10 minutes + expires_at: + type: integer + format: int64 + description: expiration time as unix timestamp in milliseconds + description: + type: string + description: optional description + user: + type: string + description: username associated with this API key. If empty and the scope is "user scope" the key can impersonate any user + admin: + type: string + description: admin associated with this API key. If empty and the scope is "admin scope" the key can impersonate any admin QuotaUsage: type: object properties: @@ -3063,6 +3337,8 @@ components: type: array items: $ref: '#/components/schemas/Admin' + api_keys: + $ref: '#/components/schemas/APIKey' version: type: integer PwdChange: @@ -3132,3 +3408,8 @@ components: type: http scheme: bearer bearerFormat: JWT + APIKeyAuth: + type: apiKey + in: header + name: X-SFTPGO-API-KEY + description: 'API key to use for authentication. API key authentication is intrinsically less secure than using a short lived JWT token. You should prefer API key authentication only for machine-to-machine communications in trusted environments. If no admin/user is associated to the provided key you need to add ".username" at the end of the key. For example if your API key is "6ajKLwswLccVBGpZGv596G.ySAXc8vtp9hMiwAuaLtzof" and you want to impersonate the admin with username "myadmin" you have to use "6ajKLwswLccVBGpZGv596G.ySAXc8vtp9hMiwAuaLtzof.myadmin" as API key. When using API key authentication you cannot manage API keys, update the impersonated admin, change password or public keys for the impersonated user.' diff --git a/httpd/server.go b/httpd/server.go index 865cd1c7..fa447d37 100644 --- a/httpd/server.go +++ b/httpd/server.go @@ -131,11 +131,12 @@ func (s *httpdServer) renderClientLoginPage(w http.ResponseWriter, error string) } func (s *httpdServer) handleClientWebLogin(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize) s.renderClientLoginPage(w, "") } func (s *httpdServer) handleWebClientLoginPost(w http.ResponseWriter, r *http.Request) { - r.Body = http.MaxBytesReader(w, r.Body, maxLoginPostSize) + r.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize) if err := r.ParseForm(); err != nil { s.renderClientLoginPage(w, err.Error()) @@ -201,7 +202,7 @@ func (s *httpdServer) handleWebClientLoginPost(w http.ResponseWriter, r *http.Re } func (s *httpdServer) handleWebAdminLoginPost(w http.ResponseWriter, r *http.Request) { - r.Body = http.MaxBytesReader(w, r.Body, maxLoginPostSize) + r.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize) if err := r.ParseForm(); err != nil { s.renderAdminLoginPage(w, err.Error()) return @@ -239,6 +240,7 @@ func (s *httpdServer) renderAdminLoginPage(w http.ResponseWriter, error string) } func (s *httpdServer) handleWebAdminLogin(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize) if !dataprovider.HasAdmin() { http.Redirect(w, r, webAdminSetupPath, http.StatusFound) return @@ -247,7 +249,7 @@ func (s *httpdServer) handleWebAdminLogin(w http.ResponseWriter, r *http.Request } func (s *httpdServer) handleWebAdminSetupPost(w http.ResponseWriter, r *http.Request) { - r.Body = http.MaxBytesReader(w, r.Body, maxLoginPostSize) + r.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize) if dataprovider.HasAdmin() { renderBadRequestPage(w, r, errors.New("an admin user already exists")) return @@ -308,11 +310,13 @@ func (s *httpdServer) loginAdmin(w http.ResponseWriter, r *http.Request, admin * } func (s *httpdServer) logout(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize) invalidateToken(r) sendAPIResponse(w, r, nil, "Your token has been invalidated", http.StatusOK) } func (s *httpdServer) getUserToken(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize) ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr) username, password, ok := r.BasicAuth() if !ok { @@ -580,6 +584,7 @@ func (s *httpdServer) initializeRouter() { s.router.Use(middleware.StripSlashes) s.router.NotFound(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) if (s.enableWebAdmin || s.enableWebClient) && isWebRequest(r) { r = s.updateContextFromCookie(r) if s.enableWebClient && (isWebClientRequest(r) || !s.enableWebAdmin) { @@ -599,25 +604,29 @@ func (s *httpdServer) initializeRouter() { s.router.Get(tokenPath, s.getToken) s.router.Group(func(router chi.Router) { + router.Use(checkAPIKeyAuth(s.tokenAuth, dataprovider.APIKeyScopeAdmin)) router.Use(jwtauth.Verify(s.tokenAuth, jwtauth.TokenFromHeader)) router.Use(jwtAuthenticatorAPI) router.Get(versionPath, func(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) render.JSON(w, r, version.Get()) }) - router.Get(logoutPath, s.logout) - router.Put(adminPwdPath, changeAdminPassword) + router.With(forbidAPIKeyAuthentication).Get(logoutPath, s.logout) + router.With(forbidAPIKeyAuthentication).Put(adminPwdPath, changeAdminPassword) // compatibility layer to remove in v2.2 - router.Put(adminPwdCompatPath, changeAdminPassword) + router.With(forbidAPIKeyAuthentication).Put(adminPwdCompatPath, changeAdminPassword) router.With(checkPerm(dataprovider.PermAdminViewServerStatus)). Get(serverStatusPath, func(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) render.JSON(w, r, getServicesStatus()) }) router.With(checkPerm(dataprovider.PermAdminViewConnections)). Get(activeConnectionsPath, func(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) render.JSON(w, r, common.Connections.GetStats()) }) @@ -659,18 +668,31 @@ func (s *httpdServer) initializeRouter() { router.With(checkPerm(dataprovider.PermAdminManageAdmins)).Get(adminPath+"/{username}", getAdminByUsername) router.With(checkPerm(dataprovider.PermAdminManageAdmins)).Put(adminPath+"/{username}", updateAdmin) router.With(checkPerm(dataprovider.PermAdminManageAdmins)).Delete(adminPath+"/{username}", deleteAdmin) + router.With(forbidAPIKeyAuthentication, checkPerm(dataprovider.PermAdminManageAPIKeys)). + Get(apiKeysPath, getAPIKeys) + router.With(forbidAPIKeyAuthentication, checkPerm(dataprovider.PermAdminManageAPIKeys)). + Post(apiKeysPath, addAPIKey) + router.With(forbidAPIKeyAuthentication, checkPerm(dataprovider.PermAdminManageAPIKeys)). + Get(apiKeysPath+"/{id}", getAPIKeyByID) + router.With(forbidAPIKeyAuthentication, checkPerm(dataprovider.PermAdminManageAPIKeys)). + Put(apiKeysPath+"/{id}", updateAPIKey) + router.With(forbidAPIKeyAuthentication, checkPerm(dataprovider.PermAdminManageAPIKeys)). + Delete(apiKeysPath+"/{id}", deleteAPIKey) }) s.router.Get(userTokenPath, s.getUserToken) s.router.Group(func(router chi.Router) { + router.Use(checkAPIKeyAuth(s.tokenAuth, dataprovider.APIKeyScopeUser)) router.Use(jwtauth.Verify(s.tokenAuth, jwtauth.TokenFromHeader)) router.Use(jwtAuthenticatorAPIUser) - router.Get(userLogoutPath, s.logout) - router.Put(userPwdPath, changeUserPassword) - router.With(checkHTTPUserPerm(sdk.WebClientPubKeyChangeDisabled)).Get(userPublicKeysPath, getUserPublicKeys) - router.With(checkHTTPUserPerm(sdk.WebClientPubKeyChangeDisabled)).Put(userPublicKeysPath, setUserPublicKeys) + router.With(forbidAPIKeyAuthentication).Get(userLogoutPath, s.logout) + router.With(forbidAPIKeyAuthentication).Put(userPwdPath, changeUserPassword) + router.With(forbidAPIKeyAuthentication, checkHTTPUserPerm(sdk.WebClientPubKeyChangeDisabled)). + Get(userPublicKeysPath, getUserPublicKeys) + router.With(forbidAPIKeyAuthentication, checkHTTPUserPerm(sdk.WebClientPubKeyChangeDisabled)). + Put(userPublicKeysPath, setUserPublicKeys) // compatibility layer to remove in v2.3 router.With(compressor.Handler).Get(userFolderPath, readUserFolder) router.Get(userFilePath, getUserFile) @@ -693,16 +715,20 @@ func (s *httpdServer) initializeRouter() { }) if s.enableWebClient { s.router.Get(webRootPath, func(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) s.redirectToWebPath(w, r, webClientLoginPath) }) s.router.Get(webBasePath, func(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) s.redirectToWebPath(w, r, webClientLoginPath) }) } else { s.router.Get(webRootPath, func(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) s.redirectToWebPath(w, r, webLoginPath) }) s.router.Get(webBasePath, func(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) s.redirectToWebPath(w, r, webLoginPath) }) } @@ -710,6 +736,7 @@ func (s *httpdServer) initializeRouter() { if s.enableWebClient { s.router.Get(webBaseClientPath, func(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) http.Redirect(w, r, webClientLoginPath, http.StatusMovedPermanently) }) s.router.Get(webClientLoginPath, s.handleClientWebLogin) @@ -737,6 +764,7 @@ func (s *httpdServer) initializeRouter() { router.With(s.refreshCookie).Get(webClientDownloadZipPath, handleWebClientDownloadZip) router.With(s.refreshCookie).Get(webClientCredentialsPath, handleClientGetCredentials) router.Post(webChangeClientPwdPath, handleWebClientChangePwdPost) + router.Post(webChangeClientAPIKeyAccessPath, handleWebClientManageAPIKeyPost) router.With(checkHTTPUserPerm(sdk.WebClientPubKeyChangeDisabled)). Post(webChangeClientKeysPath, handleWebClientManageKeysPost) }) @@ -744,6 +772,7 @@ func (s *httpdServer) initializeRouter() { if s.enableWebAdmin { s.router.Get(webBaseAdminPath, func(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize) s.redirectToWebPath(w, r, webLoginPath) }) s.router.Get(webLoginPath, s.handleWebAdminLogin) @@ -756,8 +785,9 @@ func (s *httpdServer) initializeRouter() { router.Use(jwtAuthenticatorWebAdmin) router.Get(webLogoutPath, handleWebLogout) - router.With(s.refreshCookie).Get(webChangeAdminPwdPath, handleWebAdminChangePwd) + router.With(s.refreshCookie).Get(webAdminCredentialsPath, handleWebAdminCredentials) router.Post(webChangeAdminPwdPath, handleWebAdminChangePwdPost) + router.Post(webChangeAdminAPIKeyAccessPath, handleWebAdminManageAPIKeyPost) router.With(checkPerm(dataprovider.PermAdminViewUsers), s.refreshCookie). Get(webUsersPath, handleGetWebUsers) router.With(checkPerm(dataprovider.PermAdminAddUsers), s.refreshCookie). @@ -782,14 +812,16 @@ func (s *httpdServer) initializeRouter() { router.With(checkPerm(dataprovider.PermAdminManageAdmins), s.refreshCookie). Get(webAdminPath+"/{username}", handleWebUpdateAdminGet) router.With(checkPerm(dataprovider.PermAdminManageAdmins)).Post(webAdminPath, handleWebAddAdminPost) - router.With(checkPerm(dataprovider.PermAdminManageAdmins)).Post(webAdminPath+"/{username}", handleWebUpdateAdminPost) + router.With(checkPerm(dataprovider.PermAdminManageAdmins)).Post(webAdminPath+"/{username}", + handleWebUpdateAdminPost) router.With(checkPerm(dataprovider.PermAdminManageAdmins), verifyCSRFHeader). Delete(webAdminPath+"/{username}", deleteAdmin) router.With(checkPerm(dataprovider.PermAdminCloseConnections), verifyCSRFHeader). Delete(webConnectionsPath+"/{connectionID}", handleCloseConnection) router.With(checkPerm(dataprovider.PermAdminChangeUsers), s.refreshCookie). Get(webFolderPath+"/{name}", handleWebUpdateFolderGet) - router.With(checkPerm(dataprovider.PermAdminChangeUsers)).Post(webFolderPath+"/{name}", handleWebUpdateFolderPost) + router.With(checkPerm(dataprovider.PermAdminChangeUsers)).Post(webFolderPath+"/{name}", + handleWebUpdateFolderPost) router.With(checkPerm(dataprovider.PermAdminDeleteUsers), verifyCSRFHeader). Delete(webFolderPath+"/{name}", deleteFolder) router.With(checkPerm(dataprovider.PermAdminQuotaScans), verifyCSRFHeader). @@ -809,7 +841,8 @@ func (s *httpdServer) initializeRouter() { router.With(checkPerm(dataprovider.PermAdminManageSystem)).Post(webTemplateFolder, handleWebTemplateFolderPost) router.With(checkPerm(dataprovider.PermAdminViewDefender)).Get(webDefenderPath, handleWebDefenderPage) router.With(checkPerm(dataprovider.PermAdminViewDefender)).Get(webDefenderHostsPath, getDefenderHosts) - router.With(checkPerm(dataprovider.PermAdminManageDefender)).Delete(webDefenderHostsPath+"/{id}", deleteDefenderHostByID) + router.With(checkPerm(dataprovider.PermAdminManageDefender)).Delete(webDefenderHostsPath+"/{id}", + deleteDefenderHostByID) }) } } diff --git a/httpd/webadmin.go b/httpd/webadmin.go index e47e763e..001ed733 100644 --- a/httpd/webadmin.go +++ b/httpd/webadmin.go @@ -54,7 +54,7 @@ const ( templateStatus = "status.html" templateLogin = "login.html" templateDefender = "defender.html" - templateChangePwd = "changepwd.html" + templateCredentials = "credentials.html" templateMaintenance = "maintenance.html" templateSetup = "adminsetup.html" pageUsersTitle = "Users" @@ -62,7 +62,7 @@ const ( pageConnectionsTitle = "Connections" pageStatusTitle = "Status" pageFoldersTitle = "Folders" - pageChangePwdTitle = "Change password" + pageCredentialsTitle = "Manage credentials" pageMaintenanceTitle = "Maintenance" pageDefenderTitle = "Defender" pageSetupTitle = "Create first admin user" @@ -88,7 +88,7 @@ type basePage struct { FolderTemplateURL string DefenderURL string LogoutURL string - ChangeAdminPwdURL string + CredentialsURL string FolderQuotaScanURL string StatusURL string MaintenanceURL string @@ -153,9 +153,13 @@ type adminPage struct { IsAdd bool } -type changePwdPage struct { +type credentialsPage struct { basePage - Error string + Error string + AllowAPIKeyAuth bool + ChangePwdURL string + ManageAPIKeyURL string + APIKeyError string } type maintenancePage struct { @@ -213,9 +217,9 @@ func loadAdminTemplates(templatesPath string) { filepath.Join(templatesPath, templateAdminDir, templateBase), filepath.Join(templatesPath, templateAdminDir, templateAdmin), } - changePwdPaths := []string{ + credentialsPaths := []string{ filepath.Join(templatesPath, templateAdminDir, templateBase), - filepath.Join(templatesPath, templateAdminDir, templateChangePwd), + filepath.Join(templatesPath, templateAdminDir, templateCredentials), } connectionsPaths := []string{ filepath.Join(templatesPath, templateAdminDir, templateBase), @@ -266,7 +270,7 @@ func loadAdminTemplates(templatesPath string) { folderTmpl := util.LoadTemplate(rootTpl, folderPath...) statusTmpl := util.LoadTemplate(rootTpl, statusPath...) loginTmpl := util.LoadTemplate(rootTpl, loginPath...) - changePwdTmpl := util.LoadTemplate(rootTpl, changePwdPaths...) + credentialsTmpl := util.LoadTemplate(rootTpl, credentialsPaths...) maintenanceTmpl := util.LoadTemplate(rootTpl, maintenancePath...) defenderTmpl := util.LoadTemplate(rootTpl, defenderPath...) setupTmpl := util.LoadTemplate(rootTpl, setupPath...) @@ -281,7 +285,7 @@ func loadAdminTemplates(templatesPath string) { adminTemplates[templateFolder] = folderTmpl adminTemplates[templateStatus] = statusTmpl adminTemplates[templateLogin] = loginTmpl - adminTemplates[templateChangePwd] = changePwdTmpl + adminTemplates[templateCredentials] = credentialsTmpl adminTemplates[templateMaintenance] = maintenanceTmpl adminTemplates[templateDefender] = defenderTmpl adminTemplates[templateSetup] = setupTmpl @@ -305,7 +309,7 @@ func getBasePageData(title, currentURL string, r *http.Request) basePage { FolderTemplateURL: webTemplateFolder, DefenderURL: webDefenderPath, LogoutURL: webLogoutPath, - ChangeAdminPwdURL: webChangeAdminPwdPath, + CredentialsURL: webAdminCredentialsPath, QuotaScanURL: webQuotaScanPath, ConnectionsURL: webConnectionsPath, StatusURL: webStatusPath, @@ -366,13 +370,22 @@ func renderNotFoundPage(w http.ResponseWriter, r *http.Request, err error) { renderMessagePage(w, r, page404Title, page404Body, http.StatusNotFound, err, "") } -func renderChangePwdPage(w http.ResponseWriter, r *http.Request, error string) { - data := changePwdPage{ - basePage: getBasePageData(pageChangePwdTitle, webChangeAdminPwdPath, r), - Error: error, +func renderCredentialsPage(w http.ResponseWriter, r *http.Request, pwdError, apiKeyError string) { + data := credentialsPage{ + basePage: getBasePageData(pageCredentialsTitle, webAdminCredentialsPath, r), + ChangePwdURL: webChangeAdminPwdPath, + ManageAPIKeyURL: webChangeAdminAPIKeyAccessPath, + Error: pwdError, + APIKeyError: apiKeyError, } + admin, err := dataprovider.AdminExists(data.LoggedAdmin.Username) + if err != nil { + renderInternalServerErrorPage(w, r, err) + return + } + data.AllowAPIKeyAuth = admin.Filters.AllowAPIKeyAuth - renderAdminTemplate(w, templateChangePwd, data) + renderAdminTemplate(w, templateCredentials, data) } func renderMaintenancePage(w http.ResponseWriter, r *http.Request, error string) { @@ -658,6 +671,7 @@ func getFiltersFromUserPostFields(r *http.Request) sdk.UserFilters { filters.Hooks.CheckPasswordDisabled = true } filters.DisableFsChecks = len(r.Form.Get("disable_fs_checks")) > 0 + filters.AllowAPIKeyAuth = len(r.Form.Get("allow_api_key_auth")) > 0 return filters } @@ -820,6 +834,7 @@ func getAdminFromPostFields(r *http.Request) (dataprovider.Admin, error) { admin.Email = r.Form.Get("email") admin.Status = status admin.Filters.AllowList = getSliceFromDelimitedValues(r.Form.Get("allowed_ip"), ",") + admin.Filters.AllowAPIKeyAuth = len(r.Form.Get("allow_api_key_auth")) > 0 admin.AdditionalInfo = r.Form.Get("additional_info") admin.Description = r.Form.Get("description") return admin, nil @@ -1018,15 +1033,16 @@ func getUserFromPostFields(r *http.Request) (dataprovider.User, error) { return user, err } -func handleWebAdminChangePwd(w http.ResponseWriter, r *http.Request) { - renderChangePwdPage(w, r, "") +func handleWebAdminCredentials(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + renderCredentialsPage(w, r, "", "") } func handleWebAdminChangePwdPost(w http.ResponseWriter, r *http.Request) { r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) err := r.ParseForm() if err != nil { - renderChangePwdPage(w, r, err.Error()) + renderCredentialsPage(w, r, err.Error(), "") return } if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil { @@ -1036,13 +1052,45 @@ func handleWebAdminChangePwdPost(w http.ResponseWriter, r *http.Request) { err = doChangeAdminPassword(r, r.Form.Get("current_password"), r.Form.Get("new_password1"), r.Form.Get("new_password2")) if err != nil { - renderChangePwdPage(w, r, err.Error()) + renderCredentialsPage(w, r, err.Error(), "") return } handleWebLogout(w, r) } +func handleWebAdminManageAPIKeyPost(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + err := r.ParseForm() + if err != nil { + renderCredentialsPage(w, r, err.Error(), "") + return + } + if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil { + renderForbiddenPage(w, r, err.Error()) + return + } + claims, err := getTokenClaims(r) + if err != nil || claims.Username == "" { + renderCredentialsPage(w, r, "", "Invalid token claims") + return + } + admin, err := dataprovider.AdminExists(claims.Username) + if err != nil { + renderCredentialsPage(w, r, "", err.Error()) + return + } + admin.Filters.AllowAPIKeyAuth = len(r.Form.Get("allow_api_key_auth")) > 0 + err = dataprovider.UpdateAdmin(&admin) + if err != nil { + renderCredentialsPage(w, r, "", err.Error()) + return + } + renderMessagePage(w, r, "API key authentication updated", "", http.StatusOK, nil, + "Your API key access permission has been successfully updated") +} + func handleWebLogout(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) c := jwtTokenClaims{} c.removeCookie(w, r, webBaseAdminPath) @@ -1050,10 +1098,12 @@ func handleWebLogout(w http.ResponseWriter, r *http.Request) { } func handleWebMaintenance(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) renderMaintenancePage(w, r, "") } func handleWebRestore(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, MaxRestoreSize) err := r.ParseMultipartForm(MaxRestoreSize) if err != nil { renderMaintenancePage(w, r, err.Error()) @@ -1098,6 +1148,7 @@ func handleWebRestore(w http.ResponseWriter, r *http.Request) { } func handleGetWebAdmins(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) limit := defaultQueryLimit if _, ok := r.URL.Query()["qlimit"]; ok { var err error @@ -1126,6 +1177,7 @@ func handleGetWebAdmins(w http.ResponseWriter, r *http.Request) { } func handleWebAdminSetupGet(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize) if dataprovider.HasAdmin() { http.Redirect(w, r, webLoginPath, http.StatusFound) return @@ -1134,11 +1186,13 @@ func handleWebAdminSetupGet(w http.ResponseWriter, r *http.Request) { } func handleWebAddAdminGet(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) admin := &dataprovider.Admin{Status: 1} renderAddUpdateAdminPage(w, r, admin, "", true) } func handleWebUpdateAdminGet(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) username := getURLParam(r, "username") admin, err := dataprovider.AdminExists(username) if err == nil { @@ -1220,6 +1274,7 @@ func handleWebUpdateAdminPost(w http.ResponseWriter, r *http.Request) { } func handleWebDefenderPage(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) data := defenderHostsPage{ basePage: getBasePageData(pageDefenderTitle, webDefenderPath, r), DefenderHostsURL: webDefenderHostsPath, @@ -1229,6 +1284,7 @@ func handleWebDefenderPage(w http.ResponseWriter, r *http.Request) { } func handleGetWebUsers(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) limit := defaultQueryLimit if _, ok := r.URL.Query()["qlimit"]; ok { var err error @@ -1257,6 +1313,7 @@ func handleGetWebUsers(w http.ResponseWriter, r *http.Request) { } func handleWebTemplateFolderGet(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) if r.URL.Query().Get("from") != "" { name := r.URL.Query().Get("from") folder, err := dataprovider.GetFolderByName(name) @@ -1319,6 +1376,7 @@ func handleWebTemplateFolderPost(w http.ResponseWriter, r *http.Request) { } func handleWebTemplateUserGet(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) if r.URL.Query().Get("from") != "" { username := r.URL.Query().Get("from") user, err := dataprovider.UserExists(username) @@ -1376,6 +1434,7 @@ func handleWebTemplateUserPost(w http.ResponseWriter, r *http.Request) { } func handleWebAddUserGet(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) if r.URL.Query().Get("clone-from") != "" { username := r.URL.Query().Get("clone-from") user, err := dataprovider.UserExists(username) @@ -1397,6 +1456,7 @@ func handleWebAddUserGet(w http.ResponseWriter, r *http.Request) { } func handleWebUpdateUserGet(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) username := getURLParam(r, "username") user, err := dataprovider.UserExists(username) if err == nil { @@ -1469,6 +1529,7 @@ func handleWebUpdateUserPost(w http.ResponseWriter, r *http.Request) { } func handleWebGetStatus(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) data := statusPage{ basePage: getBasePageData(pageStatusTitle, webStatusPath, r), Status: getServicesStatus(), @@ -1477,6 +1538,7 @@ func handleWebGetStatus(w http.ResponseWriter, r *http.Request) { } func handleWebGetConnections(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) connectionStats := common.Connections.GetStats() data := connectionsPage{ basePage: getBasePageData(pageConnectionsTitle, webConnectionsPath, r), @@ -1486,6 +1548,7 @@ func handleWebGetConnections(w http.ResponseWriter, r *http.Request) { } func handleWebAddFolderGet(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) renderFolderPage(w, r, vfs.BaseVirtualFolder{}, folderPageModeAdd, "") } @@ -1520,6 +1583,7 @@ func handleWebAddFolderPost(w http.ResponseWriter, r *http.Request) { } func handleWebUpdateFolderGet(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) name := getURLParam(r, "name") folder, err := dataprovider.GetFolderByName(name) if err == nil { @@ -1594,6 +1658,7 @@ func getWebVirtualFolders(w http.ResponseWriter, r *http.Request, limit int) ([] } func handleWebGetFolders(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) limit := defaultQueryLimit if _, ok := r.URL.Query()["qlimit"]; ok { var err error diff --git a/httpd/webclient.go b/httpd/webclient.go index 0bd55965..9f3b210a 100644 --- a/httpd/webclient.go +++ b/httpd/webclient.go @@ -91,13 +91,16 @@ type clientMessagePage struct { Success string } -type credentialsPage struct { +type clientCredentialsPage struct { baseClientPage - PublicKeys []string - ChangePwdURL string - ManageKeysURL string - PwdError string - KeyError string + PublicKeys []string + AllowAPIKeyAuth bool + ChangePwdURL string + ManageKeysURL string + ManageAPIKeyURL string + PwdError string + KeyError string + APIKeyError string } func getFileObjectURL(baseDir, name string) string { @@ -235,23 +238,28 @@ func renderFilesPage(w http.ResponseWriter, r *http.Request, dirName, error stri renderClientTemplate(w, templateClientFiles, data) } -func renderCredentialsPage(w http.ResponseWriter, r *http.Request, pwdError string, keyError string) { - data := credentialsPage{ - baseClientPage: getBaseClientPageData(pageClientCredentialsTitle, webClientCredentialsPath, r), - ChangePwdURL: webChangeClientPwdPath, - ManageKeysURL: webChangeClientKeysPath, - PwdError: pwdError, - KeyError: keyError, +func renderClientCredentialsPage(w http.ResponseWriter, r *http.Request, pwdError, keyError, apiKeyError string) { + data := clientCredentialsPage{ + baseClientPage: getBaseClientPageData(pageClientCredentialsTitle, webClientCredentialsPath, r), + ChangePwdURL: webChangeClientPwdPath, + ManageKeysURL: webChangeClientKeysPath, + ManageAPIKeyURL: webChangeClientAPIKeyAccessPath, + PwdError: pwdError, + KeyError: keyError, + APIKeyError: apiKeyError, } user, err := dataprovider.UserExists(data.LoggedUser.Username) if err != nil { renderClientInternalServerErrorPage(w, r, err) + return } data.PublicKeys = user.PublicKeys + data.AllowAPIKeyAuth = user.Filters.AllowAPIKeyAuth renderClientTemplate(w, templateClientCredentials, data) } func handleWebClientLogout(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize) c := jwtTokenClaims{} c.removeCookie(w, r, webBaseClientPath) @@ -259,6 +267,7 @@ func handleWebClientLogout(w http.ResponseWriter, r *http.Request) { } func handleWebClientDownloadZip(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) claims, err := getTokenClaims(r) if err != nil || claims.Username == "" { renderClientMessagePage(w, r, "Invalid token claims", "", http.StatusForbidden, nil, "") @@ -303,6 +312,7 @@ func handleWebClientDownloadZip(w http.ResponseWriter, r *http.Request) { } func handleClientGetDirContents(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) claims, err := getTokenClaims(r) if err != nil || claims.Username == "" { sendAPIResponse(w, r, nil, "invalid token claims", http.StatusForbidden) @@ -365,6 +375,7 @@ func handleClientGetDirContents(w http.ResponseWriter, r *http.Request) { } func handleClientGetFiles(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) claims, err := getTokenClaims(r) if err != nil || claims.Username == "" { renderClientForbiddenPage(w, r, "Invalid token claims") @@ -421,14 +432,15 @@ func handleClientGetFiles(w http.ResponseWriter, r *http.Request) { } func handleClientGetCredentials(w http.ResponseWriter, r *http.Request) { - renderCredentialsPage(w, r, "", "") + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + renderClientCredentialsPage(w, r, "", "", "") } func handleWebClientChangePwdPost(w http.ResponseWriter, r *http.Request) { r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) err := r.ParseForm() if err != nil { - renderCredentialsPage(w, r, err.Error(), "") + renderClientCredentialsPage(w, r, err.Error(), "", "") return } if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil { @@ -438,7 +450,7 @@ func handleWebClientChangePwdPost(w http.ResponseWriter, r *http.Request) { err = doChangeUserPassword(r, r.Form.Get("current_password"), r.Form.Get("new_password1"), r.Form.Get("new_password2")) if err != nil { - renderCredentialsPage(w, r, err.Error(), "") + renderClientCredentialsPage(w, r, err.Error(), "", "") return } handleWebClientLogout(w, r) @@ -448,7 +460,7 @@ func handleWebClientManageKeysPost(w http.ResponseWriter, r *http.Request) { r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) err := r.ParseForm() if err != nil { - renderCredentialsPage(w, r, "", err.Error()) + renderClientCredentialsPage(w, r, "", err.Error(), "") return } if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil { @@ -457,19 +469,51 @@ func handleWebClientManageKeysPost(w http.ResponseWriter, r *http.Request) { } claims, err := getTokenClaims(r) if err != nil || claims.Username == "" { - renderCredentialsPage(w, r, "", "Invalid token claims") + renderClientCredentialsPage(w, r, "", "Invalid token claims", "") return } user, err := dataprovider.UserExists(claims.Username) if err != nil { - renderCredentialsPage(w, r, "", err.Error()) + renderClientCredentialsPage(w, r, "", err.Error(), "") return } user.PublicKeys = r.Form["public_keys"] err = dataprovider.UpdateUser(&user) if err != nil { - renderCredentialsPage(w, r, "", err.Error()) + renderClientCredentialsPage(w, r, "", err.Error(), "") return } - renderClientMessagePage(w, r, "Public keys updated", "", http.StatusOK, nil, "Your public keys has been successfully updated") + renderClientMessagePage(w, r, "Public keys updated", "", http.StatusOK, nil, + "Your public keys has been successfully updated") +} + +func handleWebClientManageAPIKeyPost(w http.ResponseWriter, r *http.Request) { + r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize) + err := r.ParseForm() + if err != nil { + renderClientCredentialsPage(w, r, "", "", err.Error()) + return + } + if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil { + renderClientForbiddenPage(w, r, err.Error()) + return + } + claims, err := getTokenClaims(r) + if err != nil || claims.Username == "" { + renderClientCredentialsPage(w, r, "", "", "Invalid token claims") + return + } + user, err := dataprovider.UserExists(claims.Username) + if err != nil { + renderClientCredentialsPage(w, r, "", "", err.Error()) + return + } + user.Filters.AllowAPIKeyAuth = len(r.Form.Get("allow_api_key_auth")) > 0 + err = dataprovider.UpdateUser(&user) + if err != nil { + renderClientCredentialsPage(w, r, "", "", err.Error()) + return + } + renderClientMessagePage(w, r, "API key authentication updated", "", http.StatusOK, nil, + "Your API key access permission has been successfully updated") } diff --git a/httpdtest/httpdtest.go b/httpdtest/httpdtest.go index 8c45d447..a26e9263 100644 --- a/httpdtest/httpdtest.go +++ b/httpdtest/httpdtest.go @@ -44,6 +44,7 @@ const ( defenderScore = "/api/v2/defender/score" adminPath = "/api/v2/admins" adminPwdPath = "/api/v2/admin/changepwd" + apiKeysPath = "/api/v2/apikeys" ) const ( @@ -241,7 +242,7 @@ func GetUsers(limit, offset int64, expectedStatusCode int) ([]dataprovider.User, return users, body, err } -// AddAdmin adds a new user and checks the received HTTP Status code against expectedStatusCode. +// AddAdmin adds a new admin and checks the received HTTP Status code against expectedStatusCode. func AddAdmin(admin dataprovider.Admin, expectedStatusCode int) (dataprovider.Admin, []byte, error) { var newAdmin dataprovider.Admin var body []byte @@ -372,6 +373,121 @@ func ChangeAdminPassword(currentPassword, newPassword string, expectedStatusCode return body, err } +// GetAPIKeys returns a list of API keys and checks the received HTTP Status code against expectedStatusCode. +// The number of results can be limited specifying a limit. +// Some results can be skipped specifying an offset. +func GetAPIKeys(limit, offset int64, expectedStatusCode int) ([]dataprovider.APIKey, []byte, error) { + var apiKeys []dataprovider.APIKey + var body []byte + url, err := addLimitAndOffsetQueryParams(buildURLRelativeToBase(apiKeysPath), limit, offset) + if err != nil { + return apiKeys, body, err + } + resp, err := sendHTTPRequest(http.MethodGet, url.String(), nil, "", getDefaultToken()) + if err != nil { + return apiKeys, body, err + } + defer resp.Body.Close() + err = checkResponse(resp.StatusCode, expectedStatusCode) + if err == nil && expectedStatusCode == http.StatusOK { + err = render.DecodeJSON(resp.Body, &apiKeys) + } else { + body, _ = getResponseBody(resp) + } + return apiKeys, body, err +} + +// AddAPIKey adds a new API key and checks the received HTTP Status code against expectedStatusCode. +func AddAPIKey(apiKey dataprovider.APIKey, expectedStatusCode int) (dataprovider.APIKey, []byte, error) { + var newAPIKey dataprovider.APIKey + var body []byte + asJSON, _ := json.Marshal(apiKey) + resp, err := sendHTTPRequest(http.MethodPost, buildURLRelativeToBase(apiKeysPath), bytes.NewBuffer(asJSON), + "application/json", getDefaultToken()) + if err != nil { + return newAPIKey, body, err + } + defer resp.Body.Close() + err = checkResponse(resp.StatusCode, expectedStatusCode) + if expectedStatusCode != http.StatusCreated { + body, _ = getResponseBody(resp) + return newAPIKey, body, err + } + if err != nil { + body, _ = getResponseBody(resp) + return newAPIKey, body, err + } + response := make(map[string]string) + err = render.DecodeJSON(resp.Body, &response) + if err == nil { + newAPIKey, body, err = GetAPIKeyByID(resp.Header.Get("X-Object-ID"), http.StatusOK) + } + if err == nil { + err = checkAPIKey(&apiKey, &newAPIKey) + } + newAPIKey.Key = response["key"] + + return newAPIKey, body, err +} + +// UpdateAPIKey updates an existing API key and checks the received HTTP Status code against expectedStatusCode +func UpdateAPIKey(apiKey dataprovider.APIKey, expectedStatusCode int) (dataprovider.APIKey, []byte, error) { + var newAPIKey dataprovider.APIKey + var body []byte + + asJSON, _ := json.Marshal(apiKey) + resp, err := sendHTTPRequest(http.MethodPut, buildURLRelativeToBase(apiKeysPath, url.PathEscape(apiKey.KeyID)), + bytes.NewBuffer(asJSON), "application/json", getDefaultToken()) + if err != nil { + return newAPIKey, body, err + } + defer resp.Body.Close() + body, _ = getResponseBody(resp) + err = checkResponse(resp.StatusCode, expectedStatusCode) + if expectedStatusCode != http.StatusOK { + return newAPIKey, body, err + } + if err == nil { + newAPIKey, body, err = GetAPIKeyByID(apiKey.KeyID, expectedStatusCode) + } + if err == nil { + err = checkAPIKey(&apiKey, &newAPIKey) + } + return newAPIKey, body, err +} + +// RemoveAPIKey removes an existing API key and checks the received HTTP Status code against expectedStatusCode. +func RemoveAPIKey(apiKey dataprovider.APIKey, expectedStatusCode int) ([]byte, error) { + var body []byte + resp, err := sendHTTPRequest(http.MethodDelete, buildURLRelativeToBase(apiKeysPath, url.PathEscape(apiKey.KeyID)), + nil, "", getDefaultToken()) + if err != nil { + return body, err + } + defer resp.Body.Close() + body, _ = getResponseBody(resp) + return body, checkResponse(resp.StatusCode, expectedStatusCode) +} + +// GetAPIKeyByID gets a API key by ID and checks the received HTTP Status code against expectedStatusCode. +func GetAPIKeyByID(keyID string, expectedStatusCode int) (dataprovider.APIKey, []byte, error) { + var apiKey dataprovider.APIKey + var body []byte + resp, err := sendHTTPRequest(http.MethodGet, buildURLRelativeToBase(apiKeysPath, url.PathEscape(keyID)), + nil, "", getDefaultToken()) + if err != nil { + return apiKey, body, err + } + defer resp.Body.Close() + err = checkResponse(resp.StatusCode, expectedStatusCode) + if err == nil && expectedStatusCode == http.StatusOK { + err = render.DecodeJSON(resp.Body, &apiKey) + } else { + body, _ = getResponseBody(resp) + } + return apiKey, body, err +} + // GetQuotaScans gets active quota scans for users and checks the received HTTP Status code against expectedStatusCode. func GetQuotaScans(expectedStatusCode int) ([]common.ActiveQuotaScan, []byte, error) { var quotaScans []common.ActiveQuotaScan @@ -894,7 +1010,42 @@ func checkFolder(expected *vfs.BaseVirtualFolder, actual *vfs.BaseVirtualFolder) return compareFsConfig(&expected.FsConfig, &actual.FsConfig) } -func checkAdmin(expected *dataprovider.Admin, actual *dataprovider.Admin) error { +func checkAPIKey(expected, actual *dataprovider.APIKey) error { + if actual.Key != "" { + return errors.New("key must not be visible") + } + if actual.KeyID == "" { + return errors.New("actual key_id cannot be empty") + } + if expected.Name != actual.Name { + return errors.New("name mismatch") + } + if expected.Scope != actual.Scope { + return errors.New("scope mismatch") + } + if actual.CreatedAt == 0 { + return errors.New("created_at cannot be 0") + } + if actual.UpdatedAt == 0 { + return errors.New("updated_at cannot be 0") + } + if expected.ExpiresAt != actual.ExpiresAt { + return errors.New("expires_at mismatch") + } + if expected.Description != actual.Description { + return errors.New("description mismatch") + } + if expected.User != actual.User { + return errors.New("user mismatch") + } + if expected.Admin != actual.Admin { + return errors.New("admin mismatch") + } + + return nil +} + +func checkAdmin(expected, actual *dataprovider.Admin) error { if actual.Password != "" { return errors.New("admin password must not be visible") } @@ -921,6 +1072,9 @@ func checkAdmin(expected *dataprovider.Admin, actual *dataprovider.Admin) error if len(expected.Filters.AllowList) != len(actual.Filters.AllowList) { return errors.New("allow list mismatch") } + if expected.Filters.AllowAPIKeyAuth != actual.Filters.AllowAPIKeyAuth { + return errors.New("allow_api_key_auth mismatch") + } for _, v := range expected.Filters.AllowList { if !util.IsStringInSlice(v, actual.Filters.AllowList) { return errors.New("allow list content mismatch") @@ -1270,6 +1424,9 @@ func compareUserFilters(expected *dataprovider.User, actual *dataprovider.User) if len(expected.Filters.WebClient) != len(actual.Filters.WebClient) { return errors.New("WebClient filter mismatch") } + if expected.Filters.AllowAPIKeyAuth != actual.Filters.AllowAPIKeyAuth { + return errors.New("allow_api_key_auth mismatch") + } if err := compareUserFilterSubStructs(expected, actual); err != nil { return err } diff --git a/sdk/user.go b/sdk/user.go index d042c756..fb5998d6 100644 --- a/sdk/user.go +++ b/sdk/user.go @@ -120,6 +120,8 @@ type UserFilters struct { DisableFsChecks bool `json:"disable_fs_checks,omitempty"` // WebClient related configuration options WebClient []string `json:"web_client,omitempty"` + // API key auth allows to impersonate this user with an API key + AllowAPIKeyAuth bool `json:"allow_api_key_auth,omitempty"` } type BaseUser struct { diff --git a/service/service.go b/service/service.go index 1ed2b892..7214480d 100644 --- a/service/service.go +++ b/service/service.go @@ -286,7 +286,11 @@ func (s *Service) loadInitialData() error { } func (s *Service) restoreDump(dump *dataprovider.BackupData) error { - err := httpd.RestoreAdmins(dump.Admins, s.LoadDataFrom, s.LoadDataMode) + err := httpd.RestoreAPIKeys(dump.APIKeys, s.LoadDataFrom, s.LoadDataMode) + if err != nil { + return fmt.Errorf("unable to restore API keys from file %#v: %v", s.LoadDataFrom, err) + } + err = httpd.RestoreAdmins(dump.Admins, s.LoadDataFrom, s.LoadDataMode) if err != nil { return fmt.Errorf("unable to restore admins from file %#v: %v", s.LoadDataFrom, err) } diff --git a/templates/webadmin/admin.html b/templates/webadmin/admin.html index 359ddbd3..df75fef3 100644 --- a/templates/webadmin/admin.html +++ b/templates/webadmin/admin.html @@ -88,6 +88,17 @@ +
+
+ + + + Allow to impersonate this admin, in REST API, with an API key + +
+
+
diff --git a/templates/webadmin/base.html b/templates/webadmin/base.html index 38322c53..aa1508a0 100644 --- a/templates/webadmin/base.html +++ b/templates/webadmin/base.html @@ -69,7 +69,7 @@
-
SFTPGo Web
+
SFTPGo Admin
@@ -167,9 +167,9 @@
- + - Change password + Credentials
diff --git a/templates/webadmin/changepwd.html b/templates/webadmin/credentials.html similarity index 53% rename from templates/webadmin/changepwd.html rename to templates/webadmin/credentials.html index 72deeee1..1258914d 100644 --- a/templates/webadmin/changepwd.html +++ b/templates/webadmin/credentials.html @@ -14,7 +14,7 @@
{{.Error}}
{{end}} -
+
@@ -41,4 +41,31 @@
+
+
+
REST API access
+
+
+ {{if .APIKeyError}} +
+
{{.APIKeyError}}
+
+ {{end}} +
+
+
+ + + + Allow to impersonate yourself, in REST API, with an API key. If this permission is not granted, your credentials are required to use the REST API on your behalf + +
+
+ + + +
+
+
{{end}} diff --git a/templates/webadmin/user.html b/templates/webadmin/user.html index afc053d9..ae38c47c 100644 --- a/templates/webadmin/user.html +++ b/templates/webadmin/user.html @@ -455,6 +455,17 @@
+
+
+ + + + Allow to impersonate this user, in REST API, with an API key + +
+
+
diff --git a/templates/webclient/credentials.html b/templates/webclient/credentials.html index a3fc8195..156bf272 100644 --- a/templates/webclient/credentials.html +++ b/templates/webclient/credentials.html @@ -95,6 +95,33 @@
{{end}} +
+
+
REST API access
+
+
+ {{if .APIKeyError}} +
+
{{.APIKeyError}}
+
+ {{end}} +
+
+
+ + + + Allow to impersonate yourself, in REST API, with an API key. If this permission is not granted, your credentials are required to use the REST API on your behalf + +
+
+ + + +
+
+
{{end}} {{define "extra_js"}}