6 năm trước cách đây · a7a3d533e7
--- a/README.md
+++ b/README.md
@@ -144,7 +144,7 @@ For each account the following properties can be configured:
 
				 
			
 
				 - `username` 
			
 
				 - `password` used for password authentication. For users created using SFTPGo REST API the password will be stored using argon2id hashing algo. SFTPGo supports checking passwords stored with bcrypt too. Currently, as fallback, there is a clear text password checking but you should not store passwords as clear text and this support could be removed at any time, so please don't depend on it. 
			
 
				-- `public_key` used for public key authentication. At least one between password and public key is mandatory
			
 
				+- `public_key` used for public key authentication. At least one between password and public key is mandatory. Multiple public keys are supported, newline delimited (unix line break unescaped).
			
 
				 - `home_dir` The user cannot upload or download files outside this directory. Must be an absolute path
			
 
				 - `uid`, `gid`. If sftpgo runs as root system user then the created files and directories will be assigned to this system uid/gid. Ignored on windows and if sftpgo runs as non root user: in this case files and directories for all SFTP users will be owned by the system user that runs sftpgo.
			
 
				 - `max_sessions` maximum concurrent sessions. 0 means unlimited
			
--- a/api/api_test.go
+++ b/api/api_test.go
@@ -178,6 +178,36 @@ func TestAddUserInvalidPerms(t *testing.T) {
 
				 	}
			
 
				 }
			
 
				 
			
 
				+func TestUserPublicKey(t *testing.T) {
			
 
				+	u := getTestUser()
			
 
				+	invalidPubKey := "invalid"
			
 
				+	validPubKey := "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC03jj0D+djk7pxIf/0OhrxrchJTRZklofJ1NoIu4752Sq02mdXmarMVsqJ1cAjV5LBVy3D1F5U6XW4rppkXeVtd04Pxb09ehtH0pRRPaoHHlALiJt8CoMpbKYMA8b3KXPPriGxgGomvtU2T2RMURSwOZbMtpsugfjYSWenyYX+VORYhylWnSXL961LTyC21ehd6d6QnW9G7E5hYMITMY9TuQZz3bROYzXiTsgN0+g6Hn7exFQp50p45StUMfV/SftCMdCxlxuyGny2CrN/vfjO7xxOo2uv7q1qm10Q46KPWJQv+pgZ/OfL+EDjy07n5QVSKHlbx+2nT4Q0EgOSQaCTYwn3YjtABfIxWwgAFdyj6YlPulCL22qU4MYhDcA6PSBwDdf8hvxBfvsiHdM+JcSHvv8/VeJhk6CmnZxGY0fxBupov27z3yEO8nAg8k+6PaUiW1MSUfuGMF/ktB8LOstXsEPXSszuyXiOv4DaryOXUiSn7bmRqKcEFlJusO6aZP0= nicola@p1"
			
 
				+	u.PublicKey = invalidPubKey
			
 
				+	_, err := api.AddUser(u, http.StatusBadRequest)
			
 
				+	if err != nil {
			
 
				+		t.Errorf("unexpected error adding user with invalid pub key: %v", err)
			
 
				+	}
			
 
				+	u.PublicKey = validPubKey
			
 
				+	user, err := api.AddUser(u, http.StatusOK)
			
 
				+	if err != nil {
			
 
				+		t.Errorf("unable to add user: %v", err)
			
 
				+	}
			
 
				+	user.PublicKey = validPubKey + "\n" + invalidPubKey
			
 
				+	_, err = api.UpdateUser(user, http.StatusBadRequest)
			
 
				+	if err != nil {
			
 
				+		t.Errorf("update user with invalid public key must fail: %v", err)
			
 
				+	}
			
 
				+	user.PublicKey = validPubKey + "\n" + validPubKey + "\n" + validPubKey
			
 
				+	_, err = api.UpdateUser(user, http.StatusOK)
			
 
				+	if err != nil {
			
 
				+		t.Errorf("unable to update user: %v", err)
			
 
				+	}
			
 
				+	err = api.RemoveUser(user, http.StatusOK)
			
 
				+	if err != nil {
			
 
				+		t.Errorf("unable to remove: %v", err)
			
 
				+	}
			
 
				+}
			
 
				+
			
 
				 func TestUpdateUser(t *testing.T) {
			
 
				 	user, err := api.AddUser(getTestUser(), http.StatusOK)
			
 
				 	if err != nil {
			
--- a/api/schema/openapi.yaml
+++ b/api/schema/openapi.yaml
@@ -526,7 +526,7 @@ components:
 
				         public_key:
			
 
				           type: string
			
 
				           nullable: true
			
 
				-          description: password or public key are mandatory. For security reasons this field is omitted when you search/get users
			
 
				+          description: password or public key are mandatory. For security reasons this field is omitted when you search/get users. Multiple public keys are supported, newline delimited, when adding or modifying an user
			
 
				         home_dir:
			
 
				           type: string
			
 
				           description: path to the user home directory. The user cannot upload or download files outside this directory. SFTPGo tries to automatically create this folder if missing. Must be an absolute path
			
--- a/sftpd/sftpd_test.go
+++ b/sftpd/sftpd_test.go
@@ -29,13 +29,13 @@ import (
 
				 )
			
 
				 
			
 
				 const (
			
 
				-	logSender            = "sftpdTesting"
			
 
				-	sftpServerAddr       = "127.0.0.1:2022"
			
 
				-	defaultUsername      = "test_user_sftp"
			
 
				-	defaultPassword      = "test_password"
			
 
				-	testPubKey           = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC03jj0D+djk7pxIf/0OhrxrchJTRZklofJ1NoIu4752Sq02mdXmarMVsqJ1cAjV5LBVy3D1F5U6XW4rppkXeVtd04Pxb09ehtH0pRRPaoHHlALiJt8CoMpbKYMA8b3KXPPriGxgGomvtU2T2RMURSwOZbMtpsugfjYSWenyYX+VORYhylWnSXL961LTyC21ehd6d6QnW9G7E5hYMITMY9TuQZz3bROYzXiTsgN0+g6Hn7exFQp50p45StUMfV/SftCMdCxlxuyGny2CrN/vfjO7xxOo2uv7q1qm10Q46KPWJQv+pgZ/OfL+EDjy07n5QVSKHlbx+2nT4Q0EgOSQaCTYwn3YjtABfIxWwgAFdyj6YlPulCL22qU4MYhDcA6PSBwDdf8hvxBfvsiHdM+JcSHvv8/VeJhk6CmnZxGY0fxBupov27z3yEO8nAg8k+6PaUiW1MSUfuGMF/ktB8LOstXsEPXSszuyXiOv4DaryOXUiSn7bmRqKcEFlJusO6aZP0= nicola@p1"
			
 
				-	testInvalidPublicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCd60+/j+y8f0tLftihWV1YN9RSahMI9btQMDIMqts/jeNbD8jgoogM3nhF7KxfcaMKURuD47KC4Ey6iAJUJ0sWkSNNxOcIYuvA+5MlspfZDsa8Ag76Fe1vyz72WeHMHMeh/hwFo2TeIeIXg480T1VI6mzfDrVp2GzUx0SS0dMsQBjftXkuVR8YOiOwMCAH2a//M1OrvV7d/NBk6kBN0WnuIBb2jKm15PAA7+jQQG7tzwk2HedNH3jeL5GH31xkSRwlBczRK0xsCQXehAlx6cT/e/s44iJcJTHfpPKoSk6UAhPJYe7Z1QnuoawY9P9jQaxpyeImBZxxUEowhjpj2avBxKdRGBVK8R7EL8tSOeLbhdyWe5Mwc1+foEbq9Zz5j5Kd+hn3Wm1UnsGCrXUUUoZp1jnlNl0NakCto+5KmqnT9cHxaY+ix2RLUWAZyVFlRq71OYux1UHJnEJPiEI1/tr4jFBSL46qhQZv/TfpkfVW8FLz0lErfqu0gQEZnNHr3Fc= nicola@p1"
			
 
				-	testPrivateKey       = `-----BEGIN OPENSSH PRIVATE KEY-----
			
 
				+	logSender       = "sftpdTesting"
			
 
				+	sftpServerAddr  = "127.0.0.1:2022"
			
 
				+	defaultUsername = "test_user_sftp"
			
 
				+	defaultPassword = "test_password"
			
 
				+	testPubKey      = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC03jj0D+djk7pxIf/0OhrxrchJTRZklofJ1NoIu4752Sq02mdXmarMVsqJ1cAjV5LBVy3D1F5U6XW4rppkXeVtd04Pxb09ehtH0pRRPaoHHlALiJt8CoMpbKYMA8b3KXPPriGxgGomvtU2T2RMURSwOZbMtpsugfjYSWenyYX+VORYhylWnSXL961LTyC21ehd6d6QnW9G7E5hYMITMY9TuQZz3bROYzXiTsgN0+g6Hn7exFQp50p45StUMfV/SftCMdCxlxuyGny2CrN/vfjO7xxOo2uv7q1qm10Q46KPWJQv+pgZ/OfL+EDjy07n5QVSKHlbx+2nT4Q0EgOSQaCTYwn3YjtABfIxWwgAFdyj6YlPulCL22qU4MYhDcA6PSBwDdf8hvxBfvsiHdM+JcSHvv8/VeJhk6CmnZxGY0fxBupov27z3yEO8nAg8k+6PaUiW1MSUfuGMF/ktB8LOstXsEPXSszuyXiOv4DaryOXUiSn7bmRqKcEFlJusO6aZP0= nicola@p1"
			
 
				+	testPubKey1     = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCd60+/j+y8f0tLftihWV1YN9RSahMI9btQMDIMqts/jeNbD8jgoogM3nhF7KxfcaMKURuD47KC4Ey6iAJUJ0sWkSNNxOcIYuvA+5MlspfZDsa8Ag76Fe1vyz72WeHMHMeh/hwFo2TeIeIXg480T1VI6mzfDrVp2GzUx0SS0dMsQBjftXkuVR8YOiOwMCAH2a//M1OrvV7d/NBk6kBN0WnuIBb2jKm15PAA7+jQQG7tzwk2HedNH3jeL5GH31xkSRwlBczRK0xsCQXehAlx6cT/e/s44iJcJTHfpPKoSk6UAhPJYe7Z1QnuoawY9P9jQaxpyeImBZxxUEowhjpj2avBxKdRGBVK8R7EL8tSOeLbhdyWe5Mwc1+foEbq9Zz5j5Kd+hn3Wm1UnsGCrXUUUoZp1jnlNl0NakCto+5KmqnT9cHxaY+ix2RLUWAZyVFlRq71OYux1UHJnEJPiEI1/tr4jFBSL46qhQZv/TfpkfVW8FLz0lErfqu0gQEZnNHr3Fc= nicola@p1"
			
 
				+	testPrivateKey  = `-----BEGIN OPENSSH PRIVATE KEY-----
			
 
				 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
			
 
				 NhAAAAAwEAAQAAAYEAtN449A/nY5O6cSH/9Doa8a3ISU0WZJaHydTaCLuO+dkqtNpnV5mq
			
 
				 zFbKidXAI1eSwVctw9ReVOl1uK6aZF3lbXdOD8W9PXobR9KUUT2qBx5QC4ibfAqDKWymDA
			
@@ -494,7 +494,8 @@ func TestLogin(t *testing.T) {
 
				 		t.Errorf("login with invalid password must fail")
			
 
				 		defer client.Close()
			
 
				 	}
			
 
				-	user.PublicKey = testInvalidPublicKey
			
 
				+	// testPubKey1 is not authorized
			
 
				+	user.PublicKey = testPubKey1
			
 
				 	user.Password = ""
			
 
				 	_, err = api.UpdateUser(user, http.StatusOK)
			
 
				 	if err != nil {
			
@@ -505,6 +506,23 @@ func TestLogin(t *testing.T) {
 
				 		t.Errorf("login with invalid public key must fail")
			
 
				 		defer client.Close()
			
 
				 	}
			
 
				+	// login a user with multiple public keys, only the second one is valid
			
 
				+	user.PublicKey = testPubKey1 + "\n" + testPubKey
			
 
				+	user.Password = ""
			
 
				+	_, err = api.UpdateUser(user, http.StatusOK)
			
 
				+	if err != nil {
			
 
				+		t.Errorf("unable to update user: %v", err)
			
 
				+	}
			
 
				+	client, err = getSftpClient(user, true)
			
 
				+	if err != nil {
			
 
				+		t.Errorf("unable to create sftp client: %v", err)
			
 
				+	} else {
			
 
				+		defer client.Close()
			
 
				+		_, err := client.Getwd()
			
 
				+		if err != nil {
			
 
				+			t.Errorf("sftp client with multiple public key must work if at least one public key is valid")
			
 
				+		}
			
 
				+	}
			
 
				 	err = api.RemoveUser(user, http.StatusOK)
			
 
				 	if err != nil {
			
 
				 		t.Errorf("unable to remove user: %v", err)
			
@@ -1192,17 +1210,6 @@ func doSSH(user dataprovider.User, usePubKey bool) error {
 
				 	return err
			
 
				 }
			
 
				 
			
 
				-func modifyConf(sftpdConf sftpd.Configuration) {
			
 
				-	if runtime.GOOS == "windows" {
			
 
				-		homeBasePath = "C:\\"
			
 
				-	} else {
			
 
				-		homeBasePath = "/tmp"
			
 
				-		sftpdConf.Actions.ExecuteOn = []string{"download", "upload", "rename"}
			
 
				-		sftpdConf.Actions.Command = "/bin/true"
			
 
				-		sftpdConf.Actions.HTTPNotificationURL = "http://127.0.0.1:8080/"
			
 
				-	}
			
 
				-}
			
 
				-
			
 
				 func getSftpClient(user dataprovider.User, usePubKey bool) (*sftp.Client, error) {
			
 
				 	var sftpClient *sftp.Client
			
 
				 	config := &ssh.ClientConfig{