Home Explore Help
Register Sign In
Apq
/
sftpgo
mirror of https://github.com/drakkan/sftpgo.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: dc1cc88a46
Branches Tags
sftpgo
/
dataprovider
/
dataprovider.go

dataprovider.go 101 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949 
  1. // Package dataprovider provides data access.
    2. 

  2. // It abstracts different data providers and exposes a common API.
    3. 

  3. package dataprovider
    4. 

  4. 

  5. import (
    6. 

  6. 	"bufio"
    7. 

  7. 	"bytes"
    8. 

  8. 	"context"
    9. 

  9. 	"crypto/sha1"
    10. 

  10. 	"crypto/sha256"
    11. 

  11. 	"crypto/sha512"
    12. 

  12. 	"crypto/subtle"
    13. 

  13. 	"crypto/x509"
    14. 

  14. 	"encoding/base64"
    15. 

  15. 	"encoding/json"
    16. 

  16. 	"errors"
    17. 

  17. 	"fmt"
    18. 

  18. 	"hash"
    19. 

  19. 	"io"
    20. 

  20. 	"net"
    21. 

  21. 	"net/http"
    22. 

  22. 	"net/url"
    23. 

  23. 	"os"
    24. 

  24. 	"os/exec"
    25. 

  25. 	"path"
    26. 

  26. 	"path/filepath"
    27. 

  27. 	"regexp"
    28. 

  28. 	"runtime"
    29. 

  29. 	"strconv"
    30. 

  30. 	"strings"
    31. 

  31. 	"sync"
    32. 

  32. 	"sync/atomic"
    33. 

  33. 	"time"
    34. 

  34. 

  35. 	"github.com/GehirnInc/crypt"
    36. 

  36. 	"github.com/GehirnInc/crypt/apr1_crypt"
    37. 

  37. 	"github.com/GehirnInc/crypt/md5_crypt"
    38. 

  38. 	"github.com/GehirnInc/crypt/sha512_crypt"
    39. 

  39. 	"github.com/alexedwards/argon2id"
    40. 

  40. 	"github.com/go-chi/render"
    41. 

  41. 	"github.com/rs/xid"
    42. 

  42. 	passwordvalidator "github.com/wagslane/go-password-validator"
    43. 

  43. 	"golang.org/x/crypto/bcrypt"
    44. 

  44. 	"golang.org/x/crypto/pbkdf2"
    45. 

  45. 	"golang.org/x/crypto/ssh"
    46. 

  46. 

  47. 	"github.com/drakkan/sftpgo/v2/httpclient"
    48. 

  48. 	"github.com/drakkan/sftpgo/v2/kms"
    49. 

  49. 	"github.com/drakkan/sftpgo/v2/logger"
    50. 

  50. 	"github.com/drakkan/sftpgo/v2/metric"
    51. 

  51. 	"github.com/drakkan/sftpgo/v2/mfa"
    52. 

  52. 	"github.com/drakkan/sftpgo/v2/sdk"
    53. 

  53. 	"github.com/drakkan/sftpgo/v2/sdk/plugin"
    54. 

  54. 	"github.com/drakkan/sftpgo/v2/util"
    55. 

  55. 	"github.com/drakkan/sftpgo/v2/vfs"
    56. 

  56. )
    57. 

  57. 

  58. const (
    59. 

  59. 	// SQLiteDataProviderName defines the name for SQLite database provider
    60. 

  60. 	SQLiteDataProviderName = "sqlite"
    61. 

  61. 	// PGSQLDataProviderName defines the name for PostgreSQL database provider
    62. 

  62. 	PGSQLDataProviderName = "postgresql"
    63. 

  63. 	// MySQLDataProviderName defines the name for MySQL database provider
    64. 

  64. 	MySQLDataProviderName = "mysql"
    65. 

  65. 	// BoltDataProviderName defines the name for bbolt key/value store provider
    66. 

  66. 	BoltDataProviderName = "bolt"
    67. 

  67. 	// MemoryDataProviderName defines the name for memory provider
    68. 

  68. 	MemoryDataProviderName = "memory"
    69. 

  69. 	// CockroachDataProviderName defines the for CockroachDB provider
    70. 

  70. 	CockroachDataProviderName = "cockroachdb"
    71. 

  71. 	// DumpVersion defines the version for the dump.
    72. 

  72. 	// For restore/load we support the current version and the previous one
    73. 

  73. 	DumpVersion = 10
    74. 

  74. 

  75. 	argonPwdPrefix            = "$argon2id$"
    76. 

  76. 	bcryptPwdPrefix           = "$2a$"
    77. 

  77. 	pbkdf2SHA1Prefix          = "$pbkdf2-sha1$"
    78. 

  78. 	pbkdf2SHA256Prefix        = "$pbkdf2-sha256$"
    79. 

  79. 	pbkdf2SHA512Prefix        = "$pbkdf2-sha512$"
    80. 

  80. 	pbkdf2SHA256B64SaltPrefix = "$pbkdf2-b64salt-sha256$"
    81. 

  81. 	md5cryptPwdPrefix         = "$1$"
    82. 

  82. 	md5cryptApr1PwdPrefix     = "$apr1$"
    83. 

  83. 	sha512cryptPwdPrefix      = "$6$"
    84. 

  84. 	trackQuotaDisabledError   = "please enable track_quota in your configuration to use this method"
    85. 

  85. 	operationAdd              = "add"
    86. 

  86. 	operationUpdate           = "update"
    87. 

  87. 	operationDelete           = "delete"
    88. 

  88. 	sqlPrefixValidChars       = "abcdefghijklmnopqrstuvwxyz_0123456789"
    89. 

  89. 	maxHookResponseSize       = 1048576 // 1MB
    90. 

  90. )
    91. 

  91. 

  92. // Supported algorithms for hashing passwords.
    93. 

  93. // These algorithms can be used when SFTPGo hashes a plain text password
    94. 

  94. const (
    95. 

  95. 	HashingAlgoBcrypt   = "bcrypt"
    96. 

  96. 	HashingAlgoArgon2ID = "argon2id"
    97. 

  97. )
    98. 

  98. 

  99. // ordering constants
    100. 

  100. const (
    101. 

  101. 	OrderASC  = "ASC"
    102. 

  102. 	OrderDESC = "DESC"
    103. 

  103. )
    104. 

  104. 

  105. const (
    106. 

  106. 	protocolSSH    = "SSH"
    107. 

  107. 	protocolFTP    = "FTP"
    108. 

  108. 	protocolWebDAV = "DAV"
    109. 

  109. 	protocolHTTP   = "HTTP"
    110. 

  110. )
    111. 

  111. 

  112. var (
    113. 

  113. 	// SupportedProviders defines the supported data providers
    114. 

  114. 	SupportedProviders = []string{SQLiteDataProviderName, PGSQLDataProviderName, MySQLDataProviderName,
    115. 

  115. 		BoltDataProviderName, MemoryDataProviderName, CockroachDataProviderName}
    116. 

  116. 	// ValidPerms defines all the valid permissions for a user
    117. 

  117. 	ValidPerms = []string{PermAny, PermListItems, PermDownload, PermUpload, PermOverwrite, PermCreateDirs, PermRename,
    118. 

  118. 		PermRenameFiles, PermRenameDirs, PermDelete, PermDeleteFiles, PermDeleteDirs, PermCreateSymlinks, PermChmod,
    119. 

  119. 		PermChown, PermChtimes}
    120. 

  120. 	// ValidLoginMethods defines all the valid login methods
    121. 

  121. 	ValidLoginMethods = []string{SSHLoginMethodPublicKey, LoginMethodPassword, SSHLoginMethodKeyboardInteractive,
    122. 

  122. 		SSHLoginMethodKeyAndPassword, SSHLoginMethodKeyAndKeyboardInt, LoginMethodTLSCertificate,
    123. 

  123. 		LoginMethodTLSCertificateAndPwd}
    124. 

  124. 	// SSHMultiStepsLoginMethods defines the supported Multi-Step Authentications
    125. 

  125. 	SSHMultiStepsLoginMethods = []string{SSHLoginMethodKeyAndPassword, SSHLoginMethodKeyAndKeyboardInt}
    126. 

  126. 	// ErrNoAuthTryed defines the error for connection closed before authentication
    127. 

  127. 	ErrNoAuthTryed = errors.New("no auth tryed")
    128. 

  128. 	// ValidProtocols defines all the valid protcols
    129. 

  129. 	ValidProtocols = []string{protocolSSH, protocolFTP, protocolWebDAV, protocolHTTP}
    130. 

  130. 	// MFAProtocols defines the supported protocols for multi-factor authentication
    131. 

  131. 	MFAProtocols = []string{protocolHTTP, protocolSSH, protocolFTP}
    132. 

  132. 	// ErrNoInitRequired defines the error returned by InitProvider if no inizialization/update is required
    133. 

  133. 	ErrNoInitRequired = errors.New("the data provider is up to date")
    134. 

  134. 	// ErrInvalidCredentials defines the error to return if the supplied credentials are invalid
    135. 

  135. 	ErrInvalidCredentials = errors.New("invalid credentials")
    136. 

  136. 	// ErrLoginNotAllowedFromIP defines the error to return if login is denied from the current IP
    137. 

  137. 	ErrLoginNotAllowedFromIP = errors.New("login is not allowed from this IP")
    138. 

  138. 	isAdminCreated           = int32(0)
    139. 

  139. 	validTLSUsernames        = []string{string(sdk.TLSUsernameNone), string(sdk.TLSUsernameCN)}
    140. 

  140. 	config                   Config
    141. 

  141. 	provider                 Provider
    142. 

  142. 	sqlPlaceholders          []string
    143. 

  143. 	internalHashPwdPrefixes  = []string{argonPwdPrefix, bcryptPwdPrefix}
    144. 

  144. 	hashPwdPrefixes          = []string{argonPwdPrefix, bcryptPwdPrefix, pbkdf2SHA1Prefix, pbkdf2SHA256Prefix,
    145. 

  145. 		pbkdf2SHA512Prefix, pbkdf2SHA256B64SaltPrefix, md5cryptPwdPrefix, md5cryptApr1PwdPrefix, sha512cryptPwdPrefix}
    146. 

  146. 	pbkdfPwdPrefixes        = []string{pbkdf2SHA1Prefix, pbkdf2SHA256Prefix, pbkdf2SHA512Prefix, pbkdf2SHA256B64SaltPrefix}
    147. 

  147. 	pbkdfPwdB64SaltPrefixes = []string{pbkdf2SHA256B64SaltPrefix}
    148. 

  148. 	unixPwdPrefixes         = []string{md5cryptPwdPrefix, md5cryptApr1PwdPrefix, sha512cryptPwdPrefix}
    149. 

  149. 	sharedProviders         = []string{PGSQLDataProviderName, MySQLDataProviderName, CockroachDataProviderName}
    150. 

  150. 	logSender               = "dataProvider"
    151. 

  151. 	availabilityTicker      *time.Ticker
    152. 

  152. 	availabilityTickerDone  chan bool
    153. 

  153. 	updateCachesTicker      *time.Ticker
    154. 

  154. 	updateCachesTickerDone  chan bool
    155. 

  155. 	lastCachesUpdate        int64
    156. 

  156. 	credentialsDirPath      string
    157. 

  157. 	sqlTableUsers           = "users"
    158. 

  158. 	sqlTableFolders         = "folders"
    159. 

  159. 	sqlTableFoldersMapping  = "folders_mapping"
    160. 

  160. 	sqlTableAdmins          = "admins"
    161. 

  161. 	sqlTableAPIKeys         = "api_keys"
    162. 

  162. 	sqlTableShares          = "shares"
    163. 

  163. 	sqlTableSchemaVersion   = "schema_version"
    164. 

  164. 	argon2Params            *argon2id.Params
    165. 

  165. 	lastLoginMinDelay       = 10 * time.Minute
    166. 

  166. 	usernameRegex           = regexp.MustCompile("^[a-zA-Z0-9-_.~]+$")
    167. 

  167. 	tempPath                string
    168. 

  168. )
    169. 

  169. 

  170. type schemaVersion struct {
    171. 

  171. 	Version int
    172. 

  172. }
    173. 

  173. 

  174. // BcryptOptions defines the options for bcrypt password hashing
    175. 

  175. type BcryptOptions struct {
    176. 

  176. 	Cost int `json:"cost" mapstructure:"cost"`
    177. 

  177. }
    178. 

  178. 

  179. // Argon2Options defines the options for argon2 password hashing
    180. 

  180. type Argon2Options struct {
    181. 

  181. 	Memory      uint32 `json:"memory" mapstructure:"memory"`
    182. 

  182. 	Iterations  uint32 `json:"iterations" mapstructure:"iterations"`
    183. 

  183. 	Parallelism uint8  `json:"parallelism" mapstructure:"parallelism"`
    184. 

  184. }
    185. 

  185. 

  186. // PasswordHashing defines the configuration for password hashing
    187. 

  187. type PasswordHashing struct {
    188. 

  188. 	BcryptOptions BcryptOptions `json:"bcrypt_options" mapstructure:"bcrypt_options"`
    189. 

  189. 	Argon2Options Argon2Options `json:"argon2_options" mapstructure:"argon2_options"`
    190. 

  190. 	// Algorithm to use for hashing passwords. Available algorithms: argon2id, bcrypt. Default: bcrypt
    191. 

  191. 	Algo string `json:"algo" mapstructure:"algo"`
    192. 

  192. }
    193. 

  193. 

  194. // PasswordValidationRules defines the password validation rules
    195. 

  195. type PasswordValidationRules struct {
    196. 

  196. 	// MinEntropy defines the minimum password entropy.
    197. 

  197. 	// 0 means disabled, any password will be accepted.
    198. 

  198. 	// Take a look at the following link for more details
    199. 

  199. 	// https://github.com/wagslane/go-password-validator#what-entropy-value-should-i-use
    200. 

  200. 	MinEntropy float64 `json:"min_entropy" mapstructure:"min_entropy"`
    201. 

  201. }
    202. 

  202. 

  203. // PasswordValidation defines the password validation rules for admins and protocol users
    204. 

  204. type PasswordValidation struct {
    205. 

  205. 	// Password validation rules for SFTPGo admin users
    206. 

  206. 	Admins PasswordValidationRules `json:"admins" mapstructure:"admins"`
    207. 

  207. 	// Password validation rules for SFTPGo protocol users
    208. 

  208. 	Users PasswordValidationRules `json:"users" mapstructure:"users"`
    209. 

  209. }
    210. 

  210. 

  211. // ObjectsActions defines the action to execute on user create, update, delete for the specified objects
    212. 

  212. type ObjectsActions struct {
    213. 

  213. 	// Valid values are add, update, delete. Empty slice to disable
    214. 

  214. 	ExecuteOn []string `json:"execute_on" mapstructure:"execute_on"`
    215. 

  215. 	// Valid values are user, admin, api_key
    216. 

  216. 	ExecuteFor []string `json:"execute_for" mapstructure:"execute_for"`
    217. 

  217. 	// Absolute path to an external program or an HTTP URL
    218. 

  218. 	Hook string `json:"hook" mapstructure:"hook"`
    219. 

  219. }
    220. 

  220. 

  221. // ProviderStatus defines the provider status
    222. 

  222. type ProviderStatus struct {
    223. 

  223. 	Driver   string `json:"driver"`
    224. 

  224. 	IsActive bool   `json:"is_active"`
    225. 

  225. 	Error    string `json:"error"`
    226. 

  226. }
    227. 

  227. 

  228. // Config provider configuration
    229. 

  229. type Config struct {
    230. 

  230. 	// Driver name, must be one of the SupportedProviders
    231. 

  231. 	Driver string `json:"driver" mapstructure:"driver"`
    232. 

  232. 	// Database name. For driver sqlite this can be the database name relative to the config dir
    233. 

  233. 	// or the absolute path to the SQLite database.
    234. 

  234. 	Name string `json:"name" mapstructure:"name"`
    235. 

  235. 	// Database host
    236. 

  236. 	Host string `json:"host" mapstructure:"host"`
    237. 

  237. 	// Database port
    238. 

  238. 	Port int `json:"port" mapstructure:"port"`
    239. 

  239. 	// Database username
    240. 

  240. 	Username string `json:"username" mapstructure:"username"`
    241. 

  241. 	// Database password
    242. 

  242. 	Password string `json:"password" mapstructure:"password"`
    243. 

  243. 	// Used for drivers mysql and postgresql.
    244. 

  244. 	// 0 disable SSL/TLS connections.
    245. 

  245. 	// 1 require ssl.
    246. 

  246. 	// 2 set ssl mode to verify-ca for driver postgresql and skip-verify for driver mysql.
    247. 

  247. 	// 3 set ssl mode to verify-full for driver postgresql and preferred for driver mysql.
    248. 

  248. 	SSLMode int `json:"sslmode" mapstructure:"sslmode"`
    249. 

  249. 	// Custom database connection string.
    250. 

  250. 	// If not empty this connection string will be used instead of build one using the previous parameters
    251. 

  251. 	ConnectionString string `json:"connection_string" mapstructure:"connection_string"`
    252. 

  252. 	// prefix for SQL tables
    253. 

  253. 	SQLTablesPrefix string `json:"sql_tables_prefix" mapstructure:"sql_tables_prefix"`
    254. 

  254. 	// Set the preferred way to track users quota between the following choices:
    255. 

  255. 	// 0, disable quota tracking. REST API to scan user dir and update quota will do nothing
    256. 

  256. 	// 1, quota is updated each time a user upload or delete a file even if the user has no quota restrictions
    257. 

  257. 	// 2, quota is updated each time a user upload or delete a file but only for users with quota restrictions
    258. 

  258. 	//    and for virtual folders.
    259. 

  259. 	//    With this configuration the "quota scan" REST API can still be used to periodically update space usage
    260. 

  260. 	//    for users without quota restrictions
    261. 

  261. 	TrackQuota int `json:"track_quota" mapstructure:"track_quota"`
    262. 

  262. 	// Sets the maximum number of open connections for mysql and postgresql driver.
    263. 

  263. 	// Default 0 (unlimited)
    264. 

  264. 	PoolSize int `json:"pool_size" mapstructure:"pool_size"`
    265. 

  265. 	// Users default base directory.
    266. 

  266. 	// If no home dir is defined while adding a new user, and this value is
    267. 

  267. 	// a valid absolute path, then the user home dir will be automatically
    268. 

  268. 	// defined as the path obtained joining the base dir and the username
    269. 

  269. 	UsersBaseDir string `json:"users_base_dir" mapstructure:"users_base_dir"`
    270. 

  270. 	// Actions to execute on objects add, update, delete.
    271. 

  271. 	// The supported objects are user, admin, api_key.
    272. 

  272. 	// Update action will not be fired for internal updates such as the last login or the user quota fields.
    273. 

  273. 	Actions ObjectsActions `json:"actions" mapstructure:"actions"`
    274. 

  274. 	// Absolute path to an external program or an HTTP URL to invoke for users authentication.
    275. 

  275. 	// Leave empty to use builtin authentication.
    276. 

  276. 	// If the authentication succeed the user will be automatically added/updated inside the defined data provider.
    277. 

  277. 	// Actions defined for user added/updated will not be executed in this case.
    278. 

  278. 	// This method is slower than built-in authentication methods, but it's very flexible as anyone can
    279. 

  279. 	// easily write his own authentication hooks.
    280. 

  280. 	ExternalAuthHook string `json:"external_auth_hook" mapstructure:"external_auth_hook"`
    281. 

  281. 	// ExternalAuthScope defines the scope for the external authentication hook.
    282. 

  282. 	// - 0 means all supported authentication scopes, the external hook will be executed for password,
    283. 

  283. 	//     public key, keyboard interactive authentication and TLS certificates
    284. 

  284. 	// - 1 means passwords only
    285. 

  285. 	// - 2 means public keys only
    286. 

  286. 	// - 4 means keyboard interactive only
    287. 

  287. 	// - 8 means TLS certificates only
    288. 

  288. 	// you can combine the scopes, for example 3 means password and public key, 5 password and keyboard
    289. 

  289. 	// interactive and so on
    290. 

  290. 	ExternalAuthScope int `json:"external_auth_scope" mapstructure:"external_auth_scope"`
    291. 

  291. 	// CredentialsPath defines the directory for storing user provided credential files such as
    292. 

  292. 	// Google Cloud Storage credentials. It can be a path relative to the config dir or an
    293. 

  293. 	// absolute path
    294. 

  294. 	CredentialsPath string `json:"credentials_path" mapstructure:"credentials_path"`
    295. 

  295. 	// Absolute path to an external program or an HTTP URL to invoke just before the user login.
    296. 

  296. 	// This program/URL allows to modify or create the user trying to login.
    297. 

  297. 	// It is useful if you have users with dynamic fields to update just before the login.
    298. 

  298. 	// Please note that if you want to create a new user, the pre-login hook response must
    299. 

  299. 	// include all the mandatory user fields.
    300. 

  300. 	//
    301. 

  301. 	// The pre-login hook must finish within 30 seconds.
    302. 

  302. 	//
    303. 

  303. 	// If an error happens while executing the "PreLoginHook" then login will be denied.
    304. 

  304. 	// PreLoginHook and ExternalAuthHook are mutally exclusive.
    305. 

  305. 	// Leave empty to disable.
    306. 

  306. 	PreLoginHook string `json:"pre_login_hook" mapstructure:"pre_login_hook"`
    307. 

  307. 	// Absolute path to an external program or an HTTP URL to invoke after the user login.
    308. 

  308. 	// Based on the configured scope you can choose if notify failed or successful logins
    309. 

  309. 	// or both
    310. 

  310. 	PostLoginHook string `json:"post_login_hook" mapstructure:"post_login_hook"`
    311. 

  311. 	// PostLoginScope defines the scope for the post-login hook.
    312. 

  312. 	// - 0 means notify both failed and successful logins
    313. 

  313. 	// - 1 means notify failed logins
    314. 

  314. 	// - 2 means notify successful logins
    315. 

  315. 	PostLoginScope int `json:"post_login_scope" mapstructure:"post_login_scope"`
    316. 

  316. 	// Absolute path to an external program or an HTTP URL to invoke just before password
    317. 

  317. 	// authentication. This hook allows you to externally check the provided password,
    318. 

  318. 	// its main use case is to allow to easily support things like password+OTP for protocols
    319. 

  319. 	// without keyboard interactive support such as FTP and WebDAV. You can ask your users
    320. 

  320. 	// to login using a string consisting of a fixed password and a One Time Token, you
    321. 

  321. 	// can verify the token inside the hook and ask to SFTPGo to verify the fixed part.
    322. 

  322. 	CheckPasswordHook string `json:"check_password_hook" mapstructure:"check_password_hook"`
    323. 

  323. 	// CheckPasswordScope defines the scope for the check password hook.
    324. 

  324. 	// - 0 means all protocols
    325. 

  325. 	// - 1 means SSH
    326. 

  326. 	// - 2 means FTP
    327. 

  327. 	// - 4 means WebDAV
    328. 

  328. 	// you can combine the scopes, for example 6 means FTP and WebDAV
    329. 

  329. 	CheckPasswordScope int `json:"check_password_scope" mapstructure:"check_password_scope"`
    330. 

  330. 	// Defines how the database will be initialized/updated:
    331. 

  331. 	// - 0 means automatically
    332. 

  332. 	// - 1 means manually using the initprovider sub-command
    333. 

  333. 	UpdateMode int `json:"update_mode" mapstructure:"update_mode"`
    334. 

  334. 	// PasswordHashing defines the configuration for password hashing
    335. 

  335. 	PasswordHashing PasswordHashing `json:"password_hashing" mapstructure:"password_hashing"`
    336. 

  336. 	// PreferDatabaseCredentials indicates whether credential files (currently used for Google
    337. 

  337. 	// Cloud Storage) should be stored in the database instead of in the directory specified by
    338. 

  338. 	// CredentialsPath.
    339. 

  339. 	PreferDatabaseCredentials bool `json:"prefer_database_credentials" mapstructure:"prefer_database_credentials"`
    340. 

  340. 	// SkipNaturalKeysValidation allows to use any UTF-8 character for natural keys as username, admin name,
    341. 

  341. 	// folder name. These keys are used in URIs for REST API and Web admin. By default only unreserved URI
    342. 

  342. 	// characters are allowed: ALPHA / DIGIT / "-" / "." / "_" / "~".
    343. 

  343. 	SkipNaturalKeysValidation bool `json:"skip_natural_keys_validation" mapstructure:"skip_natural_keys_validation"`
    344. 

  344. 	// PasswordValidation defines the password validation rules
    345. 

  345. 	PasswordValidation PasswordValidation `json:"password_validation" mapstructure:"password_validation"`
    346. 

  346. 	// Verifying argon2 passwords has a high memory and computational cost,
    347. 

  347. 	// by enabling, in memory, password caching you reduce this cost.
    348. 

  348. 	PasswordCaching bool `json:"password_caching" mapstructure:"password_caching"`
    349. 

  349. 	// DelayedQuotaUpdate defines the number of seconds to accumulate quota updates.
    350. 

  350. 	// If there are a lot of close uploads, accumulating quota updates can save you many
    351. 

  351. 	// queries to the data provider.
    352. 

  352. 	// If you want to track quotas, a scheduled quota update is recommended in any case, the stored
    353. 

  353. 	// quota size may be incorrect for several reasons, such as an unexpected shutdown, temporary provider
    354. 

  354. 	// failures, file copied outside of SFTPGo, and so on.
    355. 

  355. 	// 0 means immediate quota update.
    356. 

  356. 	DelayedQuotaUpdate int `json:"delayed_quota_update" mapstructure:"delayed_quota_update"`
    357. 

  357. 	// If enabled, a default admin user with username "admin" and password "password" will be created
    358. 

  358. 	// on first start.
    359. 

  359. 	// You can also create the first admin user by using the web interface or by loading initial data.
    360. 

  360. 	CreateDefaultAdmin bool `json:"create_default_admin" mapstructure:"create_default_admin"`
    361. 

  361. 	// If the data provider is shared across multiple SFTPGo instances, set this parameter to 1.
    362. 

  362. 	// MySQL, PostgreSQL and CockroachDB can be shared, this setting is ignored for other data
    363. 

  363. 	// providers. For shared data providers, SFTPGo periodically reloads the latest updated users,
    364. 

  364. 	// based on the "updated_at" field, and updates its internal caches if users are updated from
    365. 

  365. 	// a different instance. This check, if enabled, is executed every 10 minutes
    366. 

  366. 	IsShared int `json:"is_shared" mapstructure:"is_shared"`
    367. 

  367. }
    368. 

  368. 

  369. // BackupData defines the structure for the backup/restore files
    370. 

  370. type BackupData struct {
    371. 

  371. 	Users   []User                  `json:"users"`
    372. 

  372. 	Folders []vfs.BaseVirtualFolder `json:"folders"`
    373. 

  373. 	Admins  []Admin                 `json:"admins"`
    374. 

  374. 	APIKeys []APIKey                `json:"api_keys"`
    375. 

  375. 	Shares  []Share                 `json:"shares"`
    376. 

  376. 	Version int                     `json:"version"`
    377. 

  377. }
    378. 

  378. 

  379. // HasFolder returns true if the folder with the given name is included
    380. 

  380. func (d *BackupData) HasFolder(name string) bool {
    381. 

  381. 	for _, folder := range d.Folders {
    382. 

  382. 		if folder.Name == name {
    383. 

  383. 			return true
    384. 

  384. 		}
    385. 

  385. 	}
    386. 

  386. 	return false
    387. 

  387. }
    388. 

  388. 

  389. type checkPasswordRequest struct {
    390. 

  390. 	Username string `json:"username"`
    391. 

  391. 	IP       string `json:"ip"`
    392. 

  392. 	Password string `json:"password"`
    393. 

  393. 	Protocol string `json:"protocol"`
    394. 

  394. }
    395. 

  395. 

  396. type checkPasswordResponse struct {
    397. 

  397. 	// 0 KO, 1 OK, 2 partial success, -1 not executed
    398. 

  398. 	Status int `json:"status"`
    399. 

  399. 	// for status = 2 this is the password to check against the one stored
    400. 

  400. 	// inside the SFTPGo data provider
    401. 

  401. 	ToVerify string `json:"to_verify"`
    402. 

  402. }
    403. 

  403. 

  404. // GetQuotaTracking returns the configured mode for user's quota tracking
    405. 

  405. func GetQuotaTracking() int {
    406. 

  406. 	return config.TrackQuota
    407. 

  407. }
    408. 

  408. 

  409. // Provider defines the interface that data providers must implement.
    410. 

  410. type Provider interface {
    411. 

  411. 	validateUserAndPass(username, password, ip, protocol string) (User, error)
    412. 

  412. 	validateUserAndPubKey(username string, pubKey []byte) (User, string, error)
    413. 

  413. 	validateUserAndTLSCert(username, protocol string, tlsCert *x509.Certificate) (User, error)
    414. 

  414. 	updateQuota(username string, filesAdd int, sizeAdd int64, reset bool) error
    415. 

  415. 	getUsedQuota(username string) (int, int64, error)
    416. 

  416. 	userExists(username string) (User, error)
    417. 

  417. 	addUser(user *User) error
    418. 

  418. 	updateUser(user *User) error
    419. 

  419. 	deleteUser(user *User) error
    420. 

  420. 	getUsers(limit int, offset int, order string) ([]User, error)
    421. 

  421. 	dumpUsers() ([]User, error)
    422. 

  422. 	getRecentlyUpdatedUsers(after int64) ([]User, error)
    423. 

  423. 	updateLastLogin(username string) error
    424. 

  424. 	updateAdminLastLogin(username string) error
    425. 

  425. 	setUpdatedAt(username string)
    426. 

  426. 	getFolders(limit, offset int, order string) ([]vfs.BaseVirtualFolder, error)
    427. 

  427. 	getFolderByName(name string) (vfs.BaseVirtualFolder, error)
    428. 

  428. 	addFolder(folder *vfs.BaseVirtualFolder) error
    429. 

  429. 	updateFolder(folder *vfs.BaseVirtualFolder) error
    430. 

  430. 	deleteFolder(folder *vfs.BaseVirtualFolder) error
    431. 

  431. 	updateFolderQuota(name string, filesAdd int, sizeAdd int64, reset bool) error
    432. 

  432. 	getUsedFolderQuota(name string) (int, int64, error)
    433. 

  433. 	dumpFolders() ([]vfs.BaseVirtualFolder, error)
    434. 

  434. 	adminExists(username string) (Admin, error)
    435. 

  435. 	addAdmin(admin *Admin) error
    436. 

  436. 	updateAdmin(admin *Admin) error
    437. 

  437. 	deleteAdmin(admin *Admin) error
    438. 

  438. 	getAdmins(limit int, offset int, order string) ([]Admin, error)
    439. 

  439. 	dumpAdmins() ([]Admin, error)
    440. 

  440. 	validateAdminAndPass(username, password, ip string) (Admin, error)
    441. 

  441. 	apiKeyExists(keyID string) (APIKey, error)
    442. 

  442. 	addAPIKey(apiKey *APIKey) error
    443. 

  443. 	updateAPIKey(apiKey *APIKey) error
    444. 

  444. 	deleteAPIKey(apiKey *APIKey) error
    445. 

  445. 	getAPIKeys(limit int, offset int, order string) ([]APIKey, error)
    446. 

  446. 	dumpAPIKeys() ([]APIKey, error)
    447. 

  447. 	updateAPIKeyLastUse(keyID string) error
    448. 

  448. 	shareExists(shareID, username string) (Share, error)
    449. 

  449. 	addShare(share *Share) error
    450. 

  450. 	updateShare(share *Share) error
    451. 

  451. 	deleteShare(share *Share) error
    452. 

  452. 	getShares(limit int, offset int, order, username string) ([]Share, error)
    453. 

  453. 	dumpShares() ([]Share, error)
    454. 

  454. 	updateShareLastUse(shareID string, numTokens int) error
    455. 

  455. 	checkAvailability() error
    456. 

  456. 	close() error
    457. 

  457. 	reloadConfig() error
    458. 

  458. 	initializeDatabase() error
    459. 

  459. 	migrateDatabase() error
    460. 

  460. 	revertDatabase(targetVersion int) error
    461. 

  461. 	resetDatabase() error
    462. 

  462. }
    463. 

  463. 

  464. // SetTempPath sets the path for temporary files
    465. 

  465. func SetTempPath(fsPath string) {
    466. 

  466. 	tempPath = fsPath
    467. 

  467. }
    468. 

  468. 

  469. // Initialize the data provider.
    470. 

  470. // An error is returned if the configured driver is invalid or if the data provider cannot be initialized
    471. 

  471. func Initialize(cnf Config, basePath string, checkAdmins bool) error {
    472. 

  472. 	var err error
    473. 

  473. 	config = cnf
    474. 

  474. 

  475. 	if filepath.IsAbs(config.CredentialsPath) {
    476. 

  476. 		credentialsDirPath = config.CredentialsPath
    477. 

  477. 	} else {
    478. 

  478. 		credentialsDirPath = filepath.Join(basePath, config.CredentialsPath)
    479. 

  479. 	}
    480. 

  480. 	vfs.SetCredentialsDirPath(credentialsDirPath)
    481. 

  481. 

  482. 	if err = initializeHashingAlgo(&cnf); err != nil {
    483. 

  483. 		return err
    484. 

  484. 	}
    485. 

  485. 

  486. 	if err = validateHooks(); err != nil {
    487. 

  487. 		return err
    488. 

  488. 	}
    489. 

  489. 	err = createProvider(basePath)
    490. 

  490. 	if err != nil {
    491. 

  491. 		return err
    492. 

  492. 	}
    493. 

  493. 	if cnf.UpdateMode == 0 {
    494. 

  494. 		err = provider.initializeDatabase()
    495. 

  495. 		if err != nil && err != ErrNoInitRequired {
    496. 

  496. 			logger.WarnToConsole("Unable to initialize data provider: %v", err)
    497. 

  497. 			providerLog(logger.LevelWarn, "Unable to initialize data provider: %v", err)
    498. 

  498. 			return err
    499. 

  499. 		}
    500. 

  500. 		if err == nil {
    501. 

  501. 			logger.DebugToConsole("Data provider successfully initialized")
    502. 

  502. 		}
    503. 

  503. 		err = provider.migrateDatabase()
    504. 

  504. 		if err != nil && err != ErrNoInitRequired {
    505. 

  505. 			providerLog(logger.LevelWarn, "database migration error: %v", err)
    506. 

  506. 			return err
    507. 

  507. 		}
    508. 

  508. 		if checkAdmins && cnf.CreateDefaultAdmin {
    509. 

  509. 			err = checkDefaultAdmin()
    510. 

  510. 			if err != nil {
    511. 

  511. 				providerLog(logger.LevelWarn, "check default admin error: %v", err)
    512. 

  512. 				return err
    513. 

  513. 			}
    514. 

  514. 		}
    515. 

  515. 	} else {
    516. 

  516. 		providerLog(logger.LevelInfo, "database initialization/migration skipped, manual mode is configured")
    517. 

  517. 	}
    518. 

  518. 	admins, err := provider.getAdmins(1, 0, OrderASC)
    519. 

  519. 	if err != nil {
    520. 

  520. 		return err
    521. 

  521. 	}
    522. 

  522. 	atomic.StoreInt32(&isAdminCreated, int32(len(admins)))
    523. 

  523. 	startAvailabilityTimer()
    524. 

  524. 	startUpdateCachesTimer()
    525. 

  525. 	delayedQuotaUpdater.start()
    526. 

  526. 	return nil
    527. 

  527. }
    528. 

  528. 

  529. func validateHooks() error {
    530. 

  530. 	var hooks []string
    531. 

  531. 	if config.PreLoginHook != "" && !strings.HasPrefix(config.PreLoginHook, "http") {
    532. 

  532. 		hooks = append(hooks, config.PreLoginHook)
    533. 

  533. 	}
    534. 

  534. 	if config.ExternalAuthHook != "" && !strings.HasPrefix(config.ExternalAuthHook, "http") {
    535. 

  535. 		hooks = append(hooks, config.ExternalAuthHook)
    536. 

  536. 	}
    537. 

  537. 	if config.PostLoginHook != "" && !strings.HasPrefix(config.PostLoginHook, "http") {
    538. 

  538. 		hooks = append(hooks, config.PostLoginHook)
    539. 

  539. 	}
    540. 

  540. 	if config.CheckPasswordHook != "" && !strings.HasPrefix(config.CheckPasswordHook, "http") {
    541. 

  541. 		hooks = append(hooks, config.CheckPasswordHook)
    542. 

  542. 	}
    543. 

  543. 

  544. 	for _, hook := range hooks {
    545. 

  545. 		if !filepath.IsAbs(hook) {
    546. 

  546. 			return fmt.Errorf("invalid hook: %#v must be an absolute path", hook)
    547. 

  547. 		}
    548. 

  548. 		_, err := os.Stat(hook)
    549. 

  549. 		if err != nil {
    550. 

  550. 			providerLog(logger.LevelWarn, "invalid hook: %v", err)
    551. 

  551. 			return err
    552. 

  552. 		}
    553. 

  553. 	}
    554. 

  554. 

  555. 	return nil
    556. 

  556. }
    557. 

  557. 

  558. func initializeHashingAlgo(cnf *Config) error {
    559. 

  559. 	argon2Params = &argon2id.Params{
    560. 

  560. 		Memory:      cnf.PasswordHashing.Argon2Options.Memory,
    561. 

  561. 		Iterations:  cnf.PasswordHashing.Argon2Options.Iterations,
    562. 

  562. 		Parallelism: cnf.PasswordHashing.Argon2Options.Parallelism,
    563. 

  563. 		SaltLength:  16,
    564. 

  564. 		KeyLength:   32,
    565. 

  565. 	}
    566. 

  566. 

  567. 	if config.PasswordHashing.Algo == HashingAlgoBcrypt {
    568. 

  568. 		if config.PasswordHashing.BcryptOptions.Cost > bcrypt.MaxCost {
    569. 

  569. 			err := fmt.Errorf("invalid bcrypt cost %v, max allowed %v", config.PasswordHashing.BcryptOptions.Cost, bcrypt.MaxCost)
    570. 

  570. 			logger.WarnToConsole("Unable to initialize data provider: %v", err)
    571. 

  571. 			providerLog(logger.LevelWarn, "Unable to initialize data provider: %v", err)
    572. 

  572. 			return err
    573. 

  573. 		}
    574. 

  574. 	}
    575. 

  575. 	return nil
    576. 

  576. }
    577. 

  577. 

  578. func validateSQLTablesPrefix() error {
    579. 

  579. 	if config.SQLTablesPrefix != "" {
    580. 

  580. 		for _, char := range config.SQLTablesPrefix {
    581. 

  581. 			if !strings.Contains(sqlPrefixValidChars, strings.ToLower(string(char))) {
    582. 

  582. 				return errors.New("invalid sql_tables_prefix only chars in range 'a..z', 'A..Z', '0-9' and '_' are allowed")
    583. 

  583. 			}
    584. 

  584. 		}
    585. 

  585. 		sqlTableUsers = config.SQLTablesPrefix + sqlTableUsers
    586. 

  586. 		sqlTableFolders = config.SQLTablesPrefix + sqlTableFolders
    587. 

  587. 		sqlTableFoldersMapping = config.SQLTablesPrefix + sqlTableFoldersMapping
    588. 

  588. 		sqlTableAdmins = config.SQLTablesPrefix + sqlTableAdmins
    589. 

  589. 		sqlTableAPIKeys = config.SQLTablesPrefix + sqlTableAPIKeys
    590. 

  590. 		sqlTableShares = config.SQLTablesPrefix + sqlTableShares
    591. 

  591. 		sqlTableSchemaVersion = config.SQLTablesPrefix + sqlTableSchemaVersion
    592. 

  592. 		providerLog(logger.LevelDebug, "sql table for users %#v, folders %#v folders mapping %#v admins %#v "+
    593. 

  593. 			"api keys %#v shares %#v schema version %#v", sqlTableUsers, sqlTableFolders, sqlTableFoldersMapping,
    594. 

  594. 			sqlTableAdmins, sqlTableAPIKeys, sqlTableShares, sqlTableSchemaVersion)
    595. 

  595. 	}
    596. 

  596. 	return nil
    597. 

  597. }
    598. 

  598. 

  599. func checkDefaultAdmin() error {
    600. 

  600. 	admins, err := provider.getAdmins(1, 0, OrderASC)
    601. 

  601. 	if err != nil {
    602. 

  602. 		return err
    603. 

  603. 	}
    604. 

  604. 	if len(admins) > 0 {
    605. 

  605. 		return nil
    606. 

  606. 	}
    607. 

  607. 	logger.Debug(logSender, "", "no admins found, try to create the default one")
    608. 

  608. 	// we need to create the default admin
    609. 

  609. 	admin := &Admin{}
    610. 

  610. 	if err := admin.setFromEnv(); err != nil {
    611. 

  611. 		return err
    612. 

  612. 	}
    613. 

  613. 	return provider.addAdmin(admin)
    614. 

  614. }
    615. 

  615. 

  616. // InitializeDatabase creates the initial database structure
    617. 

  617. func InitializeDatabase(cnf Config, basePath string) error {
    618. 

  618. 	config = cnf
    619. 

  619. 

  620. 	if filepath.IsAbs(config.CredentialsPath) {
    621. 

  621. 		credentialsDirPath = config.CredentialsPath
    622. 

  622. 	} else {
    623. 

  623. 		credentialsDirPath = filepath.Join(basePath, config.CredentialsPath)
    624. 

  624. 	}
    625. 

  625. 

  626. 	err := createProvider(basePath)
    627. 

  627. 	if err != nil {
    628. 

  628. 		return err
    629. 

  629. 	}
    630. 

  630. 	err = provider.initializeDatabase()
    631. 

  631. 	if err != nil && err != ErrNoInitRequired {
    632. 

  632. 		return err
    633. 

  633. 	}
    634. 

  634. 	return provider.migrateDatabase()
    635. 

  635. }
    636. 

  636. 

  637. // RevertDatabase restores schema and/or data to a previous version
    638. 

  638. func RevertDatabase(cnf Config, basePath string, targetVersion int) error {
    639. 

  639. 	config = cnf
    640. 

  640. 

  641. 	if filepath.IsAbs(config.CredentialsPath) {
    642. 

  642. 		credentialsDirPath = config.CredentialsPath
    643. 

  643. 	} else {
    644. 

  644. 		credentialsDirPath = filepath.Join(basePath, config.CredentialsPath)
    645. 

  645. 	}
    646. 

  646. 

  647. 	err := createProvider(basePath)
    648. 

  648. 	if err != nil {
    649. 

  649. 		return err
    650. 

  650. 	}
    651. 

  651. 	err = provider.initializeDatabase()
    652. 

  652. 	if err != nil && err != ErrNoInitRequired {
    653. 

  653. 		return err
    654. 

  654. 	}
    655. 

  655. 	return provider.revertDatabase(targetVersion)
    656. 

  656. }
    657. 

  657. 

  658. // ResetDatabase restores schema and/or data to a previous version
    659. 

  659. func ResetDatabase(cnf Config, basePath string) error {
    660. 

  660. 	config = cnf
    661. 

  661. 

  662. 	if filepath.IsAbs(config.CredentialsPath) {
    663. 

  663. 		credentialsDirPath = config.CredentialsPath
    664. 

  664. 	} else {
    665. 

  665. 		credentialsDirPath = filepath.Join(basePath, config.CredentialsPath)
    666. 

  666. 	}
    667. 

  667. 

  668. 	if err := createProvider(basePath); err != nil {
    669. 

  669. 		return err
    670. 

  670. 	}
    671. 

  671. 	return provider.resetDatabase()
    672. 

  672. }
    673. 

  673. 

  674. // CheckAdminAndPass validates the given admin and password connecting from ip
    675. 

  675. func CheckAdminAndPass(username, password, ip string) (Admin, error) {
    676. 

  676. 	return provider.validateAdminAndPass(username, password, ip)
    677. 

  677. }
    678. 

  678. 

  679. // CheckCachedUserCredentials checks the credentials for a cached user
    680. 

  680. func CheckCachedUserCredentials(user *CachedUser, password, loginMethod, protocol string, tlsCert *x509.Certificate) error {
    681. 

  681. 	if loginMethod != LoginMethodPassword {
    682. 

  682. 		_, err := checkUserAndTLSCertificate(&user.User, protocol, tlsCert)
    683. 

  683. 		if err != nil {
    684. 

  684. 			return err
    685. 

  685. 		}
    686. 

  686. 		if loginMethod == LoginMethodTLSCertificate {
    687. 

  687. 			if !user.User.IsLoginMethodAllowed(LoginMethodTLSCertificate, nil) {
    688. 

  688. 				return fmt.Errorf("certificate login method is not allowed for user %#v", user.User.Username)
    689. 

  689. 			}
    690. 

  690. 			return nil
    691. 

  691. 		}
    692. 

  692. 	}
    693. 

  693. 	if err := user.User.CheckLoginConditions(); err != nil {
    694. 

  694. 		return err
    695. 

  695. 	}
    696. 

  696. 	if password == "" {
    697. 

  697. 		return ErrInvalidCredentials
    698. 

  698. 	}
    699. 

  699. 	if user.Password != "" {
    700. 

  700. 		if password == user.Password {
    701. 

  701. 			return nil
    702. 

  702. 		}
    703. 

  703. 	} else {
    704. 

  704. 		if ok, _ := isPasswordOK(&user.User, password); ok {
    705. 

  705. 			return nil
    706. 

  706. 		}
    707. 

  707. 	}
    708. 

  708. 	return ErrInvalidCredentials
    709. 

  709. }
    710. 

  710. 

  711. // CheckCompositeCredentials checks multiple credentials.
    712. 

  712. // WebDAV users can send both a password and a TLS certificate within the same request
    713. 

  713. func CheckCompositeCredentials(username, password, ip, loginMethod, protocol string, tlsCert *x509.Certificate) (User, string, error) {
    714. 

  714. 	if loginMethod == LoginMethodPassword {
    715. 

  715. 		user, err := CheckUserAndPass(username, password, ip, protocol)
    716. 

  716. 		return user, loginMethod, err
    717. 

  717. 	}
    718. 

  718. 	user, err := CheckUserBeforeTLSAuth(username, ip, protocol, tlsCert)
    719. 

  719. 	if err != nil {
    720. 

  720. 		return user, loginMethod, err
    721. 

  721. 	}
    722. 

  722. 	if !user.IsTLSUsernameVerificationEnabled() {
    723. 

  723. 		// for backward compatibility with 2.0.x we only check the password and change the login method here
    724. 

  724. 		// in future updates we have to return an error
    725. 

  725. 		user, err := CheckUserAndPass(username, password, ip, protocol)
    726. 

  726. 		return user, LoginMethodPassword, err
    727. 

  727. 	}
    728. 

  728. 	user, err = checkUserAndTLSCertificate(&user, protocol, tlsCert)
    729. 

  729. 	if err != nil {
    730. 

  730. 		return user, loginMethod, err
    731. 

  731. 	}
    732. 

  732. 	if loginMethod == LoginMethodTLSCertificate && !user.IsLoginMethodAllowed(LoginMethodTLSCertificate, nil) {
    733. 

  733. 		return user, loginMethod, fmt.Errorf("certificate login method is not allowed for user %#v", user.Username)
    734. 

  734. 	}
    735. 

  735. 	if loginMethod == LoginMethodTLSCertificateAndPwd {
    736. 

  736. 		if plugin.Handler.HasAuthScope(plugin.AuthScopePassword) {
    737. 

  737. 			user, err = doPluginAuth(username, password, nil, ip, protocol, nil, plugin.AuthScopePassword)
    738. 

  738. 		} else if config.ExternalAuthHook != "" && (config.ExternalAuthScope == 0 || config.ExternalAuthScope&1 != 0) {
    739. 

  739. 			user, err = doExternalAuth(username, password, nil, "", ip, protocol, nil)
    740. 

  740. 		} else if config.PreLoginHook != "" {
    741. 

  741. 			user, err = executePreLoginHook(username, LoginMethodPassword, ip, protocol)
    742. 

  742. 		}
    743. 

  743. 		if err != nil {
    744. 

  744. 			return user, loginMethod, err
    745. 

  745. 		}
    746. 

  746. 		user, err = checkUserAndPass(&user, password, ip, protocol)
    747. 

  747. 	}
    748. 

  748. 	return user, loginMethod, err
    749. 

  749. }
    750. 

  750. 

  751. // CheckUserBeforeTLSAuth checks if a user exits before trying mutual TLS
    752. 

  752. func CheckUserBeforeTLSAuth(username, ip, protocol string, tlsCert *x509.Certificate) (User, error) {
    753. 

  753. 	if plugin.Handler.HasAuthScope(plugin.AuthScopeTLSCertificate) {
    754. 

  754. 		return doPluginAuth(username, "", nil, ip, protocol, tlsCert, plugin.AuthScopeTLSCertificate)
    755. 

  755. 	}
    756. 

  756. 	if config.ExternalAuthHook != "" && (config.ExternalAuthScope == 0 || config.ExternalAuthScope&8 != 0) {
    757. 

  757. 		return doExternalAuth(username, "", nil, "", ip, protocol, tlsCert)
    758. 

  758. 	}
    759. 

  759. 	if config.PreLoginHook != "" {
    760. 

  760. 		return executePreLoginHook(username, LoginMethodTLSCertificate, ip, protocol)
    761. 

  761. 	}
    762. 

  762. 	return UserExists(username)
    763. 

  763. }
    764. 

  764. 

  765. // CheckUserAndTLSCert returns the SFTPGo user with the given username and check if the
    766. 

  766. // given TLS certificate allow authentication without password
    767. 

  767. func CheckUserAndTLSCert(username, ip, protocol string, tlsCert *x509.Certificate) (User, error) {
    768. 

  768. 	if plugin.Handler.HasAuthScope(plugin.AuthScopeTLSCertificate) {
    769. 

  769. 		user, err := doPluginAuth(username, "", nil, ip, protocol, tlsCert, plugin.AuthScopeTLSCertificate)
    770. 

  770. 		if err != nil {
    771. 

  771. 			return user, err
    772. 

  772. 		}
    773. 

  773. 		return checkUserAndTLSCertificate(&user, protocol, tlsCert)
    774. 

  774. 	}
    775. 

  775. 	if config.ExternalAuthHook != "" && (config.ExternalAuthScope == 0 || config.ExternalAuthScope&8 != 0) {
    776. 

  776. 		user, err := doExternalAuth(username, "", nil, "", ip, protocol, tlsCert)
    777. 

  777. 		if err != nil {
    778. 

  778. 			return user, err
    779. 

  779. 		}
    780. 

  780. 		return checkUserAndTLSCertificate(&user, protocol, tlsCert)
    781. 

  781. 	}
    782. 

  782. 	if config.PreLoginHook != "" {
    783. 

  783. 		user, err := executePreLoginHook(username, LoginMethodTLSCertificate, ip, protocol)
    784. 

  784. 		if err != nil {
    785. 

  785. 			return user, err
    786. 

  786. 		}
    787. 

  787. 		return checkUserAndTLSCertificate(&user, protocol, tlsCert)
    788. 

  788. 	}
    789. 

  789. 	return provider.validateUserAndTLSCert(username, protocol, tlsCert)
    790. 

  790. }
    791. 

  791. 

  792. // CheckUserAndPass retrieves the SFTPGo user with the given username and password if a match is found or an error
    793. 

  793. func CheckUserAndPass(username, password, ip, protocol string) (User, error) {
    794. 

  794. 	if plugin.Handler.HasAuthScope(plugin.AuthScopePassword) {
    795. 

  795. 		user, err := doPluginAuth(username, password, nil, ip, protocol, nil, plugin.AuthScopePassword)
    796. 

  796. 		if err != nil {
    797. 

  797. 			return user, err
    798. 

  798. 		}
    799. 

  799. 		return checkUserAndPass(&user, password, ip, protocol)
    800. 

  800. 	}
    801. 

  801. 	if config.ExternalAuthHook != "" && (config.ExternalAuthScope == 0 || config.ExternalAuthScope&1 != 0) {
    802. 

  802. 		user, err := doExternalAuth(username, password, nil, "", ip, protocol, nil)
    803. 

  803. 		if err != nil {
    804. 

  804. 			return user, err
    805. 

  805. 		}
    806. 

  806. 		return checkUserAndPass(&user, password, ip, protocol)
    807. 

  807. 	}
    808. 

  808. 	if config.PreLoginHook != "" {
    809. 

  809. 		user, err := executePreLoginHook(username, LoginMethodPassword, ip, protocol)
    810. 

  810. 		if err != nil {
    811. 

  811. 			return user, err
    812. 

  812. 		}
    813. 

  813. 		return checkUserAndPass(&user, password, ip, protocol)
    814. 

  814. 	}
    815. 

  815. 	return provider.validateUserAndPass(username, password, ip, protocol)
    816. 

  816. }
    817. 

  817. 

  818. // CheckUserAndPubKey retrieves the SFTP user with the given username and public key if a match is found or an error
    819. 

  819. func CheckUserAndPubKey(username string, pubKey []byte, ip, protocol string) (User, string, error) {
    820. 

  820. 	if plugin.Handler.HasAuthScope(plugin.AuthScopePublicKey) {
    821. 

  821. 		user, err := doPluginAuth(username, "", pubKey, ip, protocol, nil, plugin.AuthScopePublicKey)
    822. 

  822. 		if err != nil {
    823. 

  823. 			return user, "", err
    824. 

  824. 		}
    825. 

  825. 		return checkUserAndPubKey(&user, pubKey)
    826. 

  826. 	}
    827. 

  827. 	if config.ExternalAuthHook != "" && (config.ExternalAuthScope == 0 || config.ExternalAuthScope&2 != 0) {
    828. 

  828. 		user, err := doExternalAuth(username, "", pubKey, "", ip, protocol, nil)
    829. 

  829. 		if err != nil {
    830. 

  830. 			return user, "", err
    831. 

  831. 		}
    832. 

  832. 		return checkUserAndPubKey(&user, pubKey)
    833. 

  833. 	}
    834. 

  834. 	if config.PreLoginHook != "" {
    835. 

  835. 		user, err := executePreLoginHook(username, SSHLoginMethodPublicKey, ip, protocol)
    836. 

  836. 		if err != nil {
    837. 

  837. 			return user, "", err
    838. 

  838. 		}
    839. 

  839. 		return checkUserAndPubKey(&user, pubKey)
    840. 

  840. 	}
    841. 

  841. 	return provider.validateUserAndPubKey(username, pubKey)
    842. 

  842. }
    843. 

  843. 

  844. // CheckKeyboardInteractiveAuth checks the keyboard interactive authentication and returns
    845. 

  845. // the authenticated user or an error
    846. 

  846. func CheckKeyboardInteractiveAuth(username, authHook string, client ssh.KeyboardInteractiveChallenge, ip, protocol string) (User, error) {
    847. 

  847. 	var user User
    848. 

  848. 	var err error
    849. 

  849. 	if plugin.Handler.HasAuthScope(plugin.AuthScopeKeyboardInteractive) {
    850. 

  850. 		user, err = doPluginAuth(username, "", nil, ip, protocol, nil, plugin.AuthScopeKeyboardInteractive)
    851. 

  851. 	} else if config.ExternalAuthHook != "" && (config.ExternalAuthScope == 0 || config.ExternalAuthScope&4 != 0) {
    852. 

  852. 		user, err = doExternalAuth(username, "", nil, "1", ip, protocol, nil)
    853. 

  853. 	} else if config.PreLoginHook != "" {
    854. 

  854. 		user, err = executePreLoginHook(username, SSHLoginMethodKeyboardInteractive, ip, protocol)
    855. 

  855. 	} else {
    856. 

  856. 		user, err = provider.userExists(username)
    857. 

  857. 	}
    858. 

  858. 	if err != nil {
    859. 

  859. 		return user, err
    860. 

  860. 	}
    861. 

  861. 	return doKeyboardInteractiveAuth(&user, authHook, client, ip, protocol)
    862. 

  862. }
    863. 

  863. 

  864. // UpdateShareLastUse updates the LastUseAt and UsedTokens for the given share
    865. 

  865. func UpdateShareLastUse(share *Share, numTokens int) error {
    866. 

  866. 	return provider.updateShareLastUse(share.ShareID, numTokens)
    867. 

  867. }
    868. 

  868. 

  869. // UpdateAPIKeyLastUse updates the LastUseAt field for the given API key
    870. 

  870. func UpdateAPIKeyLastUse(apiKey *APIKey) error {
    871. 

  871. 	lastUse := util.GetTimeFromMsecSinceEpoch(apiKey.LastUseAt)
    872. 

  872. 	diff := -time.Until(lastUse)
    873. 

  873. 	if diff < 0 || diff > lastLoginMinDelay {
    874. 

  874. 		return provider.updateAPIKeyLastUse(apiKey.KeyID)
    875. 

  875. 	}
    876. 

  876. 	return nil
    877. 

  877. }
    878. 

  878. 

  879. // UpdateLastLogin updates the last login field for the given SFTPGo user
    880. 

  880. func UpdateLastLogin(user *User) {
    881. 

  881. 	lastLogin := util.GetTimeFromMsecSinceEpoch(user.LastLogin)
    882. 

  882. 	diff := -time.Until(lastLogin)
    883. 

  883. 	if diff < 0 || diff > lastLoginMinDelay {
    884. 

  884. 		err := provider.updateLastLogin(user.Username)
    885. 

  885. 		if err == nil {
    886. 

  886. 			webDAVUsersCache.updateLastLogin(user.Username)
    887. 

  887. 		}
    888. 

  888. 	}
    889. 

  889. }
    890. 

  890. 

  891. // UpdateAdminLastLogin updates the last login field for the given SFTPGo admin
    892. 

  892. func UpdateAdminLastLogin(admin *Admin) {
    893. 

  893. 	lastLogin := util.GetTimeFromMsecSinceEpoch(admin.LastLogin)
    894. 

  894. 	diff := -time.Until(lastLogin)
    895. 

  895. 	if diff < 0 || diff > lastLoginMinDelay {
    896. 

  896. 		provider.updateAdminLastLogin(admin.Username) //nolint:errcheck
    897. 

  897. 	}
    898. 

  898. }
    899. 

  899. 

  900. // UpdateUserQuota updates the quota for the given SFTP user adding filesAdd and sizeAdd.
    901. 

  901. // If reset is true filesAdd and sizeAdd indicates the total files and the total size instead of the difference.
    902. 

  902. func UpdateUserQuota(user *User, filesAdd int, sizeAdd int64, reset bool) error {
    903. 

  903. 	if config.TrackQuota == 0 {
    904. 

  904. 		return util.NewMethodDisabledError(trackQuotaDisabledError)
    905. 

  905. 	} else if config.TrackQuota == 2 && !reset && !user.HasQuotaRestrictions() {
    906. 

  906. 		return nil
    907. 

  907. 	}
    908. 

  908. 	if filesAdd == 0 && sizeAdd == 0 && !reset {
    909. 

  909. 		return nil
    910. 

  910. 	}
    911. 

  911. 	if config.DelayedQuotaUpdate == 0 || reset {
    912. 

  912. 		if reset {
    913. 

  913. 			delayedQuotaUpdater.resetUserQuota(user.Username)
    914. 

  914. 		}
    915. 

  915. 		return provider.updateQuota(user.Username, filesAdd, sizeAdd, reset)
    916. 

  916. 	}
    917. 

  917. 	delayedQuotaUpdater.updateUserQuota(user.Username, filesAdd, sizeAdd)
    918. 

  918. 	return nil
    919. 

  919. }
    920. 

  920. 

  921. // UpdateVirtualFolderQuota updates the quota for the given virtual folder adding filesAdd and sizeAdd.
    922. 

  922. // If reset is true filesAdd and sizeAdd indicates the total files and the total size instead of the difference.
    923. 

  923. func UpdateVirtualFolderQuota(vfolder *vfs.BaseVirtualFolder, filesAdd int, sizeAdd int64, reset bool) error {
    924. 

  924. 	if config.TrackQuota == 0 {
    925. 

  925. 		return util.NewMethodDisabledError(trackQuotaDisabledError)
    926. 

  926. 	}
    927. 

  927. 	if filesAdd == 0 && sizeAdd == 0 && !reset {
    928. 

  928. 		return nil
    929. 

  929. 	}
    930. 

  930. 	if config.DelayedQuotaUpdate == 0 || reset {
    931. 

  931. 		if reset {
    932. 

  932. 			delayedQuotaUpdater.resetFolderQuota(vfolder.Name)
    933. 

  933. 		}
    934. 

  934. 		return provider.updateFolderQuota(vfolder.Name, filesAdd, sizeAdd, reset)
    935. 

  935. 	}
    936. 

  936. 	delayedQuotaUpdater.updateFolderQuota(vfolder.Name, filesAdd, sizeAdd)
    937. 

  937. 	return nil
    938. 

  938. }
    939. 

  939. 

  940. // GetUsedQuota returns the used quota for the given SFTP user.
    941. 

  941. func GetUsedQuota(username string) (int, int64, error) {
    942. 

  942. 	if config.TrackQuota == 0 {
    943. 

  943. 		return 0, 0, util.NewMethodDisabledError(trackQuotaDisabledError)
    944. 

  944. 	}
    945. 

  945. 	files, size, err := provider.getUsedQuota(username)
    946. 

  946. 	if err != nil {
    947. 

  947. 		return files, size, err
    948. 

  948. 	}
    949. 

  949. 	delayedFiles, delayedSize := delayedQuotaUpdater.getUserPendingQuota(username)
    950. 

  950. 	return files + delayedFiles, size + delayedSize, err
    951. 

  951. }
    952. 

  952. 

  953. // GetUsedVirtualFolderQuota returns the used quota for the given virtual folder.
    954. 

  954. func GetUsedVirtualFolderQuota(name string) (int, int64, error) {
    955. 

  955. 	if config.TrackQuota == 0 {
    956. 

  956. 		return 0, 0, util.NewMethodDisabledError(trackQuotaDisabledError)
    957. 

  957. 	}
    958. 

  958. 	files, size, err := provider.getUsedFolderQuota(name)
    959. 

  959. 	if err != nil {
    960. 

  960. 		return files, size, err
    961. 

  961. 	}
    962. 

  962. 	delayedFiles, delayedSize := delayedQuotaUpdater.getFolderPendingQuota(name)
    963. 

  963. 	return files + delayedFiles, size + delayedSize, err
    964. 

  964. }
    965. 

  965. 

  966. // AddShare adds a new share
    967. 

  967. func AddShare(share *Share, executor, ipAddress string) error {
    968. 

  968. 	err := provider.addShare(share)
    969. 

  969. 	if err == nil {
    970. 

  970. 		executeAction(operationAdd, executor, ipAddress, actionObjectShare, share.ShareID, share)
    971. 

  971. 	}
    972. 

  972. 	return err
    973. 

  973. }
    974. 

  974. 

  975. // UpdateShare updates an existing share
    976. 

  976. func UpdateShare(share *Share, executor, ipAddress string) error {
    977. 

  977. 	err := provider.updateShare(share)
    978. 

  978. 	if err == nil {
    979. 

  979. 		executeAction(operationUpdate, executor, ipAddress, actionObjectShare, share.ShareID, share)
    980. 

  980. 	}
    981. 

  981. 	return err
    982. 

  982. }
    983. 

  983. 

  984. // DeleteShare deletes an existing share
    985. 

  985. func DeleteShare(shareID string, executor, ipAddress string) error {
    986. 

  986. 	share, err := provider.shareExists(shareID, executor)
    987. 

  987. 	if err != nil {
    988. 

  988. 		return err
    989. 

  989. 	}
    990. 

  990. 	err = provider.deleteShare(&share)
    991. 

  991. 	if err == nil {
    992. 

  992. 		executeAction(operationDelete, executor, ipAddress, actionObjectShare, shareID, &share)
    993. 

  993. 	}
    994. 

  994. 	return err
    995. 

  995. }
    996. 

  996. 

  997. // ShareExists returns the share with the given ID if it exists
    998. 

  998. func ShareExists(shareID, username string) (Share, error) {
    999. 

  999. 	if shareID == "" {
    1000. 

  1000. 		return Share{}, util.NewRecordNotFoundError(fmt.Sprintf("Share %#v does not exist", shareID))
    1001. 

  1001. 	}
    1002. 

  1002. 	return provider.shareExists(shareID, username)
    1003. 

  1003. }
    1004. 

  1004. 

  1005. // AddAPIKey adds a new API key
    1006. 

  1006. func AddAPIKey(apiKey *APIKey, executor, ipAddress string) error {
    1007. 

  1007. 	err := provider.addAPIKey(apiKey)
    1008. 

  1008. 	if err == nil {
    1009. 

  1009. 		executeAction(operationAdd, executor, ipAddress, actionObjectAPIKey, apiKey.KeyID, apiKey)
    1010. 

  1010. 	}
    1011. 

  1011. 	return err
    1012. 

  1012. }
    1013. 

  1013. 

  1014. // UpdateAPIKey updates an existing API key
    1015. 

  1015. func UpdateAPIKey(apiKey *APIKey, executor, ipAddress string) error {
    1016. 

  1016. 	err := provider.updateAPIKey(apiKey)
    1017. 

  1017. 	if err == nil {
    1018. 

  1018. 		executeAction(operationUpdate, executor, ipAddress, actionObjectAPIKey, apiKey.KeyID, apiKey)
    1019. 

  1019. 	}
    1020. 

  1020. 	return err
    1021. 

  1021. }
    1022. 

  1022. 

  1023. // DeleteAPIKey deletes an existing API key
    1024. 

  1024. func DeleteAPIKey(keyID string, executor, ipAddress string) error {
    1025. 

  1025. 	apiKey, err := provider.apiKeyExists(keyID)
    1026. 

  1026. 	if err != nil {
    1027. 

  1027. 		return err
    1028. 

  1028. 	}
    1029. 

  1029. 	err = provider.deleteAPIKey(&apiKey)
    1030. 

  1030. 	if err == nil {
    1031. 

  1031. 		executeAction(operationDelete, executor, ipAddress, actionObjectAPIKey, apiKey.KeyID, &apiKey)
    1032. 

  1032. 	}
    1033. 

  1033. 	return err
    1034. 

  1034. }
    1035. 

  1035. 

  1036. // APIKeyExists returns the API key with the given ID if it exists
    1037. 

  1037. func APIKeyExists(keyID string) (APIKey, error) {
    1038. 

  1038. 	if keyID == "" {
    1039. 

  1039. 		return APIKey{}, util.NewRecordNotFoundError(fmt.Sprintf("API key %#v does not exist", keyID))
    1040. 

  1040. 	}
    1041. 

  1041. 	return provider.apiKeyExists(keyID)
    1042. 

  1042. }
    1043. 

  1043. 

  1044. // HasAdmin returns true if the first admin has been created
    1045. 

  1045. // and so SFTPGo is ready to be used
    1046. 

  1046. func HasAdmin() bool {
    1047. 

  1047. 	return atomic.LoadInt32(&isAdminCreated) > 0
    1048. 

  1048. }
    1049. 

  1049. 

  1050. // AddAdmin adds a new SFTPGo admin
    1051. 

  1051. func AddAdmin(admin *Admin, executor, ipAddress string) error {
    1052. 

  1052. 	admin.Filters.RecoveryCodes = nil
    1053. 

  1053. 	admin.Filters.TOTPConfig = TOTPConfig{
    1054. 

  1054. 		Enabled: false,
    1055. 

  1055. 	}
    1056. 

  1056. 	err := provider.addAdmin(admin)
    1057. 

  1057. 	if err == nil {
    1058. 

  1058. 		atomic.StoreInt32(&isAdminCreated, 1)
    1059. 

  1059. 		executeAction(operationAdd, executor, ipAddress, actionObjectAdmin, admin.Username, admin)
    1060. 

  1060. 	}
    1061. 

  1061. 	return err
    1062. 

  1062. }
    1063. 

  1063. 

  1064. // UpdateAdmin updates an existing SFTPGo admin
    1065. 

  1065. func UpdateAdmin(admin *Admin, executor, ipAddress string) error {
    1066. 

  1066. 	err := provider.updateAdmin(admin)
    1067. 

  1067. 	if err == nil {
    1068. 

  1068. 		executeAction(operationUpdate, executor, ipAddress, actionObjectAdmin, admin.Username, admin)
    1069. 

  1069. 	}
    1070. 

  1070. 	return err
    1071. 

  1071. }
    1072. 

  1072. 

  1073. // DeleteAdmin deletes an existing SFTPGo admin
    1074. 

  1074. func DeleteAdmin(username, executor, ipAddress string) error {
    1075. 

  1075. 	admin, err := provider.adminExists(username)
    1076. 

  1076. 	if err != nil {
    1077. 

  1077. 		return err
    1078. 

  1078. 	}
    1079. 

  1079. 	err = provider.deleteAdmin(&admin)
    1080. 

  1080. 	if err == nil {
    1081. 

  1081. 		executeAction(operationDelete, executor, ipAddress, actionObjectAdmin, admin.Username, &admin)
    1082. 

  1082. 	}
    1083. 

  1083. 	return err
    1084. 

  1084. }
    1085. 

  1085. 

  1086. // AdminExists returns the admin with the given username if it exists
    1087. 

  1087. func AdminExists(username string) (Admin, error) {
    1088. 

  1088. 	return provider.adminExists(username)
    1089. 

  1089. }
    1090. 

  1090. 

  1091. // UserExists checks if the given SFTPGo username exists, returns an error if no match is found
    1092. 

  1092. func UserExists(username string) (User, error) {
    1093. 

  1093. 	return provider.userExists(username)
    1094. 

  1094. }
    1095. 

  1095. 

  1096. // AddUser adds a new SFTPGo user.
    1097. 

  1097. func AddUser(user *User, executor, ipAddress string) error {
    1098. 

  1098. 	user.Filters.RecoveryCodes = nil
    1099. 

  1099. 	user.Filters.TOTPConfig = sdk.TOTPConfig{
    1100. 

  1100. 		Enabled: false,
    1101. 

  1101. 	}
    1102. 

  1102. 	err := provider.addUser(user)
    1103. 

  1103. 	if err == nil {
    1104. 

  1104. 		executeAction(operationAdd, executor, ipAddress, actionObjectUser, user.Username, user)
    1105. 

  1105. 	}
    1106. 

  1106. 	return err
    1107. 

  1107. }
    1108. 

  1108. 

  1109. // UpdateUser updates an existing SFTPGo user.
    1110. 

  1110. func UpdateUser(user *User, executor, ipAddress string) error {
    1111. 

  1111. 	err := provider.updateUser(user)
    1112. 

  1112. 	if err == nil {
    1113. 

  1113. 		webDAVUsersCache.swap(user)
    1114. 

  1114. 		cachedPasswords.Remove(user.Username)
    1115. 

  1115. 		executeAction(operationUpdate, executor, ipAddress, actionObjectUser, user.Username, user)
    1116. 

  1116. 	}
    1117. 

  1117. 	return err
    1118. 

  1118. }
    1119. 

  1119. 

  1120. // DeleteUser deletes an existing SFTPGo user.
    1121. 

  1121. func DeleteUser(username, executor, ipAddress string) error {
    1122. 

  1122. 	user, err := provider.userExists(username)
    1123. 

  1123. 	if err != nil {
    1124. 

  1124. 		return err
    1125. 

  1125. 	}
    1126. 

  1126. 	err = provider.deleteUser(&user)
    1127. 

  1127. 	if err == nil {
    1128. 

  1128. 		RemoveCachedWebDAVUser(user.Username)
    1129. 

  1129. 		delayedQuotaUpdater.resetUserQuota(username)
    1130. 

  1130. 		cachedPasswords.Remove(username)
    1131. 

  1131. 		executeAction(operationDelete, executor, ipAddress, actionObjectUser, user.Username, &user)
    1132. 

  1132. 	}
    1133. 

  1133. 	return err
    1134. 

  1134. }
    1135. 

  1135. 

  1136. // ReloadConfig reloads provider configuration.
    1137. 

  1137. // Currently only implemented for memory provider, allows to reload the users
    1138. 

  1138. // from the configured file, if defined
    1139. 

  1139. func ReloadConfig() error {
    1140. 

  1140. 	return provider.reloadConfig()
    1141. 

  1141. }
    1142. 

  1142. 

  1143. // GetShares returns an array of shares respecting limit and offset
    1144. 

  1144. func GetShares(limit, offset int, order, username string) ([]Share, error) {
    1145. 

  1145. 	return provider.getShares(limit, offset, order, username)
    1146. 

  1146. }
    1147. 

  1147. 

  1148. // GetAPIKeys returns an array of API keys respecting limit and offset
    1149. 

  1149. func GetAPIKeys(limit, offset int, order string) ([]APIKey, error) {
    1150. 

  1150. 	return provider.getAPIKeys(limit, offset, order)
    1151. 

  1151. }
    1152. 

  1152. 

  1153. // GetAdmins returns an array of admins respecting limit and offset
    1154. 

  1154. func GetAdmins(limit, offset int, order string) ([]Admin, error) {
    1155. 

  1155. 	return provider.getAdmins(limit, offset, order)
    1156. 

  1156. }
    1157. 

  1157. 

  1158. // GetUsers returns an array of users respecting limit and offset and filtered by username exact match if not empty
    1159. 

  1159. func GetUsers(limit, offset int, order string) ([]User, error) {
    1160. 

  1160. 	return provider.getUsers(limit, offset, order)
    1161. 

  1161. }
    1162. 

  1162. 

  1163. // AddFolder adds a new virtual folder.
    1164. 

  1164. func AddFolder(folder *vfs.BaseVirtualFolder) error {
    1165. 

  1165. 	return provider.addFolder(folder)
    1166. 

  1166. }
    1167. 

  1167. 

  1168. // UpdateFolder updates the specified virtual folder
    1169. 

  1169. func UpdateFolder(folder *vfs.BaseVirtualFolder, users []string, executor, ipAddress string) error {
    1170. 

  1170. 	err := provider.updateFolder(folder)
    1171. 

  1171. 	if err == nil {
    1172. 

  1172. 		for _, user := range users {
    1173. 

  1173. 			provider.setUpdatedAt(user)
    1174. 

  1174. 			u, err := provider.userExists(user)
    1175. 

  1175. 			if err == nil {
    1176. 

  1176. 				webDAVUsersCache.swap(&u)
    1177. 

  1177. 				executeAction(operationUpdate, executor, ipAddress, actionObjectUser, u.Username, &u)
    1178. 

  1178. 			} else {
    1179. 

  1179. 				RemoveCachedWebDAVUser(user)
    1180. 

  1180. 			}
    1181. 

  1181. 		}
    1182. 

  1182. 	}
    1183. 

  1183. 	return err
    1184. 

  1184. }
    1185. 

  1185. 

  1186. // DeleteFolder deletes an existing folder.
    1187. 

  1187. func DeleteFolder(folderName, executor, ipAddress string) error {
    1188. 

  1188. 	folder, err := provider.getFolderByName(folderName)
    1189. 

  1189. 	if err != nil {
    1190. 

  1190. 		return err
    1191. 

  1191. 	}
    1192. 

  1192. 	err = provider.deleteFolder(&folder)
    1193. 

  1193. 	if err == nil {
    1194. 

  1194. 		for _, user := range folder.Users {
    1195. 

  1195. 			provider.setUpdatedAt(user)
    1196. 

  1196. 			u, err := provider.userExists(user)
    1197. 

  1197. 			if err == nil {
    1198. 

  1198. 				executeAction(operationUpdate, executor, ipAddress, actionObjectUser, u.Username, &u)
    1199. 

  1199. 			}
    1200. 

  1200. 			RemoveCachedWebDAVUser(user)
    1201. 

  1201. 		}
    1202. 

  1202. 		delayedQuotaUpdater.resetFolderQuota(folderName)
    1203. 

  1203. 	}
    1204. 

  1204. 	return err
    1205. 

  1205. }
    1206. 

  1206. 

  1207. // GetFolderByName returns the folder with the specified name if any
    1208. 

  1208. func GetFolderByName(name string) (vfs.BaseVirtualFolder, error) {
    1209. 

  1209. 	return provider.getFolderByName(name)
    1210. 

  1210. }
    1211. 

  1211. 

  1212. // GetFolders returns an array of folders respecting limit and offset
    1213. 

  1213. func GetFolders(limit, offset int, order string) ([]vfs.BaseVirtualFolder, error) {
    1214. 

  1214. 	return provider.getFolders(limit, offset, order)
    1215. 

  1215. }
    1216. 

  1216. 

  1217. // DumpData returns all users and folders
    1218. 

  1218. func DumpData() (BackupData, error) {
    1219. 

  1219. 	var data BackupData
    1220. 

  1220. 	users, err := provider.dumpUsers()
    1221. 

  1221. 	if err != nil {
    1222. 

  1222. 		return data, err
    1223. 

  1223. 	}
    1224. 

  1224. 	folders, err := provider.dumpFolders()
    1225. 

  1225. 	if err != nil {
    1226. 

  1226. 		return data, err
    1227. 

  1227. 	}
    1228. 

  1228. 	admins, err := provider.dumpAdmins()
    1229. 

  1229. 	if err != nil {
    1230. 

  1230. 		return data, err
    1231. 

  1231. 	}
    1232. 

  1232. 	apiKeys, err := provider.dumpAPIKeys()
    1233. 

  1233. 	if err != nil {
    1234. 

  1234. 		return data, err
    1235. 

  1235. 	}
    1236. 

  1236. 	shares, err := provider.dumpShares()
    1237. 

  1237. 	if err != nil {
    1238. 

  1238. 		return data, err
    1239. 

  1239. 	}
    1240. 

  1240. 	data.Users = users
    1241. 

  1241. 	data.Folders = folders
    1242. 

  1242. 	data.Admins = admins
    1243. 

  1243. 	data.APIKeys = apiKeys
    1244. 

  1244. 	data.Shares = shares
    1245. 

  1245. 	data.Version = DumpVersion
    1246. 

  1246. 	return data, err
    1247. 

  1247. }
    1248. 

  1248. 

  1249. // ParseDumpData tries to parse data as BackupData
    1250. 

  1250. func ParseDumpData(data []byte) (BackupData, error) {
    1251. 

  1251. 	var dump BackupData
    1252. 

  1252. 	err := json.Unmarshal(data, &dump)
    1253. 

  1253. 	return dump, err
    1254. 

  1254. }
    1255. 

  1255. 

  1256. // GetProviderStatus returns an error if the provider is not available
    1257. 

  1257. func GetProviderStatus() ProviderStatus {
    1258. 

  1258. 	err := provider.checkAvailability()
    1259. 

  1259. 	status := ProviderStatus{
    1260. 

  1260. 		Driver: config.Driver,
    1261. 

  1261. 	}
    1262. 

  1262. 	if err == nil {
    1263. 

  1263. 		status.IsActive = true
    1264. 

  1264. 	} else {
    1265. 

  1265. 		status.IsActive = false
    1266. 

  1266. 		status.Error = err.Error()
    1267. 

  1267. 	}
    1268. 

  1268. 	return status
    1269. 

  1269. }
    1270. 

  1270. 

  1271. // Close releases all provider resources.
    1272. 

  1272. // This method is used in test cases.
    1273. 

  1273. // Closing an uninitialized provider is not supported
    1274. 

  1274. func Close() error {
    1275. 

  1275. 	if availabilityTicker != nil {
    1276. 

  1276. 		availabilityTicker.Stop()
    1277. 

  1277. 		availabilityTickerDone <- true
    1278. 

  1278. 		availabilityTicker = nil
    1279. 

  1279. 	}
    1280. 

  1280. 	if updateCachesTicker != nil {
    1281. 

  1281. 		updateCachesTicker.Stop()
    1282. 

  1282. 		updateCachesTickerDone <- true
    1283. 

  1283. 		updateCachesTicker = nil
    1284. 

  1284. 	}
    1285. 

  1285. 	return provider.close()
    1286. 

  1286. }
    1287. 

  1287. 

  1288. func createProvider(basePath string) error {
    1289. 

  1289. 	var err error
    1290. 

  1290. 	sqlPlaceholders = getSQLPlaceholders()
    1291. 

  1291. 	if err = validateSQLTablesPrefix(); err != nil {
    1292. 

  1292. 		return err
    1293. 

  1293. 	}
    1294. 

  1294. 	logSender = fmt.Sprintf("dataprovider_%v", config.Driver)
    1295. 

  1295. 

  1296. 	switch config.Driver {
    1297. 

  1297. 	case SQLiteDataProviderName:
    1298. 

  1298. 		return initializeSQLiteProvider(basePath)
    1299. 

  1299. 	case PGSQLDataProviderName, CockroachDataProviderName:
    1300. 

  1300. 		return initializePGSQLProvider()
    1301. 

  1301. 	case MySQLDataProviderName:
    1302. 

  1302. 		return initializeMySQLProvider()
    1303. 

  1303. 	case BoltDataProviderName:
    1304. 

  1304. 		return initializeBoltProvider(basePath)
    1305. 

  1305. 	case MemoryDataProviderName:
    1306. 

  1306. 		initializeMemoryProvider(basePath)
    1307. 

  1307. 		return nil
    1308. 

  1308. 	default:
    1309. 

  1309. 		return fmt.Errorf("unsupported data provider: %v", config.Driver)
    1310. 

  1310. 	}
    1311. 

  1311. }
    1312. 

  1312. 

  1313. func buildUserHomeDir(user *User) {
    1314. 

  1314. 	if user.HomeDir == "" {
    1315. 

  1315. 		if config.UsersBaseDir != "" {
    1316. 

  1316. 			user.HomeDir = filepath.Join(config.UsersBaseDir, user.Username)
    1317. 

  1317. 			return
    1318. 

  1318. 		}
    1319. 

  1319. 		switch user.FsConfig.Provider {
    1320. 

  1320. 		case sdk.SFTPFilesystemProvider, sdk.S3FilesystemProvider, sdk.AzureBlobFilesystemProvider, sdk.GCSFilesystemProvider:
    1321. 

  1321. 			if tempPath != "" {
    1322. 

  1322. 				user.HomeDir = filepath.Join(tempPath, user.Username)
    1323. 

  1323. 			} else {
    1324. 

  1324. 				user.HomeDir = filepath.Join(os.TempDir(), user.Username)
    1325. 

  1325. 			}
    1326. 

  1326. 		}
    1327. 

  1327. 	}
    1328. 

  1328. }
    1329. 

  1329. 

  1330. func isVirtualDirOverlapped(dir1, dir2 string, fullCheck bool) bool {
    1331. 

  1331. 	if dir1 == dir2 {
    1332. 

  1332. 		return true
    1333. 

  1333. 	}
    1334. 

  1334. 	if fullCheck {
    1335. 

  1335. 		if len(dir1) > len(dir2) {
    1336. 

  1336. 			if strings.HasPrefix(dir1, dir2+"/") {
    1337. 

  1337. 				return true
    1338. 

  1338. 			}
    1339. 

  1339. 		}
    1340. 

  1340. 		if len(dir2) > len(dir1) {
    1341. 

  1341. 			if strings.HasPrefix(dir2, dir1+"/") {
    1342. 

  1342. 				return true
    1343. 

  1343. 			}
    1344. 

  1344. 		}
    1345. 

  1345. 	}
    1346. 

  1346. 	return false
    1347. 

  1347. }
    1348. 

  1348. 

  1349. func isMappedDirOverlapped(dir1, dir2 string, fullCheck bool) bool {
    1350. 

  1350. 	if dir1 == dir2 {
    1351. 

  1351. 		return true
    1352. 

  1352. 	}
    1353. 

  1353. 	if fullCheck {
    1354. 

  1354. 		if len(dir1) > len(dir2) {
    1355. 

  1355. 			if strings.HasPrefix(dir1, dir2+string(os.PathSeparator)) {
    1356. 

  1356. 				return true
    1357. 

  1357. 			}
    1358. 

  1358. 		}
    1359. 

  1359. 		if len(dir2) > len(dir1) {
    1360. 

  1360. 			if strings.HasPrefix(dir2, dir1+string(os.PathSeparator)) {
    1361. 

  1361. 				return true
    1362. 

  1362. 			}
    1363. 

  1363. 		}
    1364. 

  1364. 	}
    1365. 

  1365. 	return false
    1366. 

  1366. }
    1367. 

  1367. 

  1368. func validateFolderQuotaLimits(folder vfs.VirtualFolder) error {
    1369. 

  1369. 	if folder.QuotaSize < -1 {
    1370. 

  1370. 		return util.NewValidationError(fmt.Sprintf("invalid quota_size: %v folder path %#v", folder.QuotaSize, folder.MappedPath))
    1371. 

  1371. 	}
    1372. 

  1372. 	if folder.QuotaFiles < -1 {
    1373. 

  1373. 		return util.NewValidationError(fmt.Sprintf("invalid quota_file: %v folder path %#v", folder.QuotaFiles, folder.MappedPath))
    1374. 

  1374. 	}
    1375. 

  1375. 	if (folder.QuotaSize == -1 && folder.QuotaFiles != -1) || (folder.QuotaFiles == -1 && folder.QuotaSize != -1) {
    1376. 

  1376. 		return util.NewValidationError(fmt.Sprintf("virtual folder quota_size and quota_files must be both -1 or >= 0, quota_size: %v quota_files: %v",
    1377. 

  1377. 			folder.QuotaFiles, folder.QuotaSize))
    1378. 

  1378. 	}
    1379. 

  1379. 	return nil
    1380. 

  1380. }
    1381. 

  1381. 

  1382. func getVirtualFolderIfInvalid(folder *vfs.BaseVirtualFolder) *vfs.BaseVirtualFolder {
    1383. 

  1383. 	if err := ValidateFolder(folder); err == nil {
    1384. 

  1384. 		return folder
    1385. 

  1385. 	}
    1386. 

  1386. 	// we try to get the folder from the data provider if only the Name is populated
    1387. 

  1387. 	if folder.MappedPath != "" {
    1388. 

  1388. 		return folder
    1389. 

  1389. 	}
    1390. 

  1390. 	if folder.Name == "" {
    1391. 

  1391. 		return folder
    1392. 

  1392. 	}
    1393. 

  1393. 	if folder.FsConfig.Provider != sdk.LocalFilesystemProvider {
    1394. 

  1394. 		return folder
    1395. 

  1395. 	}
    1396. 

  1396. 	if f, err := GetFolderByName(folder.Name); err == nil {
    1397. 

  1397. 		return &f
    1398. 

  1398. 	}
    1399. 

  1399. 	return folder
    1400. 

  1400. }
    1401. 

  1401. 

  1402. func validateUserVirtualFolders(user *User) error {
    1403. 

  1403. 	if len(user.VirtualFolders) == 0 {
    1404. 

  1404. 		user.VirtualFolders = []vfs.VirtualFolder{}
    1405. 

  1405. 		return nil
    1406. 

  1406. 	}
    1407. 

  1407. 	var virtualFolders []vfs.VirtualFolder
    1408. 

  1408. 	mappedPaths := make(map[string]bool)
    1409. 

  1409. 	virtualPaths := make(map[string]bool)
    1410. 

  1410. 	for _, v := range user.VirtualFolders {
    1411. 

  1411. 		cleanedVPath := filepath.ToSlash(path.Clean(v.VirtualPath))
    1412. 

  1412. 		if !path.IsAbs(cleanedVPath) || cleanedVPath == "/" {
    1413. 

  1413. 			return util.NewValidationError(fmt.Sprintf("invalid virtual folder %#v", v.VirtualPath))
    1414. 

  1414. 		}
    1415. 

  1415. 		if err := validateFolderQuotaLimits(v); err != nil {
    1416. 

  1416. 			return err
    1417. 

  1417. 		}
    1418. 

  1418. 		folder := getVirtualFolderIfInvalid(&v.BaseVirtualFolder)
    1419. 

  1419. 		if err := ValidateFolder(folder); err != nil {
    1420. 

  1420. 			return err
    1421. 

  1421. 		}
    1422. 

  1422. 		cleanedMPath := folder.MappedPath
    1423. 

  1423. 		if folder.IsLocalOrLocalCrypted() {
    1424. 

  1424. 			if isMappedDirOverlapped(cleanedMPath, user.GetHomeDir(), true) {
    1425. 

  1425. 				return util.NewValidationError(fmt.Sprintf("invalid mapped folder %#v cannot be inside or contain the user home dir %#v",
    1426. 

  1426. 					folder.MappedPath, user.GetHomeDir()))
    1427. 

  1427. 			}
    1428. 

  1428. 			for mPath := range mappedPaths {
    1429. 

  1429. 				if folder.IsLocalOrLocalCrypted() && isMappedDirOverlapped(mPath, cleanedMPath, false) {
    1430. 

  1430. 					return util.NewValidationError(fmt.Sprintf("invalid mapped folder %#v overlaps with mapped folder %#v",
    1431. 

  1431. 						v.MappedPath, mPath))
    1432. 

  1432. 				}
    1433. 

  1433. 			}
    1434. 

  1434. 			mappedPaths[cleanedMPath] = true
    1435. 

  1435. 		}
    1436. 

  1436. 		for vPath := range virtualPaths {
    1437. 

  1437. 			if isVirtualDirOverlapped(vPath, cleanedVPath, false) {
    1438. 

  1438. 				return util.NewValidationError(fmt.Sprintf("invalid virtual folder %#v overlaps with virtual folder %#v",
    1439. 

  1439. 					v.VirtualPath, vPath))
    1440. 

  1440. 			}
    1441. 

  1441. 		}
    1442. 

  1442. 		virtualPaths[cleanedVPath] = true
    1443. 

  1443. 		virtualFolders = append(virtualFolders, vfs.VirtualFolder{
    1444. 

  1444. 			BaseVirtualFolder: *folder,
    1445. 

  1445. 			VirtualPath:       cleanedVPath,
    1446. 

  1446. 			QuotaSize:         v.QuotaSize,
    1447. 

  1447. 			QuotaFiles:        v.QuotaFiles,
    1448. 

  1448. 		})
    1449. 

  1449. 	}
    1450. 

  1450. 	user.VirtualFolders = virtualFolders
    1451. 

  1451. 	return nil
    1452. 

  1452. }
    1453. 

  1453. 

  1454. func validateUserTOTPConfig(c *sdk.TOTPConfig, username string) error {
    1455. 

  1455. 	if !c.Enabled {
    1456. 

  1456. 		c.ConfigName = ""
    1457. 

  1457. 		c.Secret = kms.NewEmptySecret()
    1458. 

  1458. 		c.Protocols = nil
    1459. 

  1459. 		return nil
    1460. 

  1460. 	}
    1461. 

  1461. 	if c.ConfigName == "" {
    1462. 

  1462. 		return util.NewValidationError("totp: config name is mandatory")
    1463. 

  1463. 	}
    1464. 

  1464. 	if !util.IsStringInSlice(c.ConfigName, mfa.GetAvailableTOTPConfigNames()) {
    1465. 

  1465. 		return util.NewValidationError(fmt.Sprintf("totp: config name %#v not found", c.ConfigName))
    1466. 

  1466. 	}
    1467. 

  1467. 	if c.Secret.IsEmpty() {
    1468. 

  1468. 		return util.NewValidationError("totp: secret is mandatory")
    1469. 

  1469. 	}
    1470. 

  1470. 	if c.Secret.IsPlain() {
    1471. 

  1471. 		c.Secret.SetAdditionalData(username)
    1472. 

  1472. 		if err := c.Secret.Encrypt(); err != nil {
    1473. 

  1473. 			return util.NewValidationError(fmt.Sprintf("totp: unable to encrypt secret: %v", err))
    1474. 

  1474. 		}
    1475. 

  1475. 	}
    1476. 

  1476. 	c.Protocols = util.RemoveDuplicates(c.Protocols)
    1477. 

  1477. 	if len(c.Protocols) == 0 {
    1478. 

  1478. 		return util.NewValidationError("totp: specify at least one protocol")
    1479. 

  1479. 	}
    1480. 

  1480. 	for _, protocol := range c.Protocols {
    1481. 

  1481. 		if !util.IsStringInSlice(protocol, MFAProtocols) {
    1482. 

  1482. 			return util.NewValidationError(fmt.Sprintf("totp: invalid protocol %#v", protocol))
    1483. 

  1483. 		}
    1484. 

  1484. 	}
    1485. 

  1485. 	return nil
    1486. 

  1486. }
    1487. 

  1487. 

  1488. func validateUserRecoveryCodes(user *User) error {
    1489. 

  1489. 	for i := 0; i < len(user.Filters.RecoveryCodes); i++ {
    1490. 

  1490. 		code := &user.Filters.RecoveryCodes[i]
    1491. 

  1491. 		if code.Secret.IsEmpty() {
    1492. 

  1492. 			return util.NewValidationError("mfa: recovery code cannot be empty")
    1493. 

  1493. 		}
    1494. 

  1494. 		if code.Secret.IsPlain() {
    1495. 

  1495. 			code.Secret.SetAdditionalData(user.Username)
    1496. 

  1496. 			if err := code.Secret.Encrypt(); err != nil {
    1497. 

  1497. 				return util.NewValidationError(fmt.Sprintf("mfa: unable to encrypt recovery code: %v", err))
    1498. 

  1498. 			}
    1499. 

  1499. 		}
    1500. 

  1500. 	}
    1501. 

  1501. 	return nil
    1502. 

  1502. }
    1503. 

  1503. 

  1504. func validatePermissions(user *User) error {
    1505. 

  1505. 	if len(user.Permissions) == 0 {
    1506. 

  1506. 		return util.NewValidationError("please grant some permissions to this user")
    1507. 

  1507. 	}
    1508. 

  1508. 	permissions := make(map[string][]string)
    1509. 

  1509. 	if _, ok := user.Permissions["/"]; !ok {
    1510. 

  1510. 		return util.NewValidationError("permissions for the root dir \"/\" must be set")
    1511. 

  1511. 	}
    1512. 

  1512. 	for dir, perms := range user.Permissions {
    1513. 

  1513. 		if len(perms) == 0 && dir == "/" {
    1514. 

  1514. 			return util.NewValidationError(fmt.Sprintf("no permissions granted for the directory: %#v", dir))
    1515. 

  1515. 		}
    1516. 

  1516. 		if len(perms) > len(ValidPerms) {
    1517. 

  1517. 			return util.NewValidationError("invalid permissions")
    1518. 

  1518. 		}
    1519. 

  1519. 		for _, p := range perms {
    1520. 

  1520. 			if !util.IsStringInSlice(p, ValidPerms) {
    1521. 

  1521. 				return util.NewValidationError(fmt.Sprintf("invalid permission: %#v", p))
    1522. 

  1522. 			}
    1523. 

  1523. 		}
    1524. 

  1524. 		cleanedDir := filepath.ToSlash(path.Clean(dir))
    1525. 

  1525. 		if cleanedDir != "/" {
    1526. 

  1526. 			cleanedDir = strings.TrimSuffix(cleanedDir, "/")
    1527. 

  1527. 		}
    1528. 

  1528. 		if !path.IsAbs(cleanedDir) {
    1529. 

  1529. 			return util.NewValidationError(fmt.Sprintf("cannot set permissions for non absolute path: %#v", dir))
    1530. 

  1530. 		}
    1531. 

  1531. 		if dir != cleanedDir && cleanedDir == "/" {
    1532. 

  1532. 			return util.NewValidationError(fmt.Sprintf("cannot set permissions for invalid subdirectory: %#v is an alias for \"/\"", dir))
    1533. 

  1533. 		}
    1534. 

  1534. 		if util.IsStringInSlice(PermAny, perms) {
    1535. 

  1535. 			permissions[cleanedDir] = []string{PermAny}
    1536. 

  1536. 		} else {
    1537. 

  1537. 			permissions[cleanedDir] = util.RemoveDuplicates(perms)
    1538. 

  1538. 		}
    1539. 

  1539. 	}
    1540. 

  1540. 	user.Permissions = permissions
    1541. 

  1541. 	return nil
    1542. 

  1542. }
    1543. 

  1543. 

  1544. func validatePublicKeys(user *User) error {
    1545. 

  1545. 	if len(user.PublicKeys) == 0 {
    1546. 

  1546. 		user.PublicKeys = []string{}
    1547. 

  1547. 	}
    1548. 

  1548. 	var validatedKeys []string
    1549. 

  1549. 	for i, k := range user.PublicKeys {
    1550. 

  1550. 		if k == "" {
    1551. 

  1551. 			continue
    1552. 

  1552. 		}
    1553. 

  1553. 		_, _, _, _, err := ssh.ParseAuthorizedKey([]byte(k))
    1554. 

  1554. 		if err != nil {
    1555. 

  1555. 			return util.NewValidationError(fmt.Sprintf("could not parse key nr. %d: %s", i+1, err))
    1556. 

  1556. 		}
    1557. 

  1557. 		validatedKeys = append(validatedKeys, k)
    1558. 

  1558. 	}
    1559. 

  1559. 	user.PublicKeys = util.RemoveDuplicates(validatedKeys)
    1560. 

  1560. 	return nil
    1561. 

  1561. }
    1562. 

  1562. 

  1563. func validateFiltersPatternExtensions(user *User) error {
    1564. 

  1564. 	if len(user.Filters.FilePatterns) == 0 {
    1565. 

  1565. 		user.Filters.FilePatterns = []sdk.PatternsFilter{}
    1566. 

  1566. 		return nil
    1567. 

  1567. 	}
    1568. 

  1568. 	filteredPaths := []string{}
    1569. 

  1569. 	var filters []sdk.PatternsFilter
    1570. 

  1570. 	for _, f := range user.Filters.FilePatterns {
    1571. 

  1571. 		cleanedPath := filepath.ToSlash(path.Clean(f.Path))
    1572. 

  1572. 		if !path.IsAbs(cleanedPath) {
    1573. 

  1573. 			return util.NewValidationError(fmt.Sprintf("invalid path %#v for file patterns filter", f.Path))
    1574. 

  1574. 		}
    1575. 

  1575. 		if util.IsStringInSlice(cleanedPath, filteredPaths) {
    1576. 

  1576. 			return util.NewValidationError(fmt.Sprintf("duplicate file patterns filter for path %#v", f.Path))
    1577. 

  1577. 		}
    1578. 

  1578. 		if len(f.AllowedPatterns) == 0 && len(f.DeniedPatterns) == 0 {
    1579. 

  1579. 			return util.NewValidationError(fmt.Sprintf("empty file patterns filter for path %#v", f.Path))
    1580. 

  1580. 		}
    1581. 

  1581. 		f.Path = cleanedPath
    1582. 

  1582. 		allowed := make([]string, 0, len(f.AllowedPatterns))
    1583. 

  1583. 		denied := make([]string, 0, len(f.DeniedPatterns))
    1584. 

  1584. 		for _, pattern := range f.AllowedPatterns {
    1585. 

  1585. 			_, err := path.Match(pattern, "abc")
    1586. 

  1586. 			if err != nil {
    1587. 

  1587. 				return util.NewValidationError(fmt.Sprintf("invalid file pattern filter %#v", pattern))
    1588. 

  1588. 			}
    1589. 

  1589. 			allowed = append(allowed, strings.ToLower(pattern))
    1590. 

  1590. 		}
    1591. 

  1591. 		for _, pattern := range f.DeniedPatterns {
    1592. 

  1592. 			_, err := path.Match(pattern, "abc")
    1593. 

  1593. 			if err != nil {
    1594. 

  1594. 				return util.NewValidationError(fmt.Sprintf("invalid file pattern filter %#v", pattern))
    1595. 

  1595. 			}
    1596. 

  1596. 			denied = append(denied, strings.ToLower(pattern))
    1597. 

  1597. 		}
    1598. 

  1598. 		f.AllowedPatterns = allowed
    1599. 

  1599. 		f.DeniedPatterns = denied
    1600. 

  1600. 		filters = append(filters, f)
    1601. 

  1601. 		filteredPaths = append(filteredPaths, cleanedPath)
    1602. 

  1602. 	}
    1603. 

  1603. 	user.Filters.FilePatterns = filters
    1604. 

  1604. 	return nil
    1605. 

  1605. }
    1606. 

  1606. 

  1607. func checkEmptyFiltersStruct(user *User) {
    1608. 

  1608. 	if len(user.Filters.AllowedIP) == 0 {
    1609. 

  1609. 		user.Filters.AllowedIP = []string{}
    1610. 

  1610. 	}
    1611. 

  1611. 	if len(user.Filters.DeniedIP) == 0 {
    1612. 

  1612. 		user.Filters.DeniedIP = []string{}
    1613. 

  1613. 	}
    1614. 

  1614. 	if len(user.Filters.DeniedLoginMethods) == 0 {
    1615. 

  1615. 		user.Filters.DeniedLoginMethods = []string{}
    1616. 

  1616. 	}
    1617. 

  1617. 	if len(user.Filters.DeniedProtocols) == 0 {
    1618. 

  1618. 		user.Filters.DeniedProtocols = []string{}
    1619. 

  1619. 	}
    1620. 

  1620. }
    1621. 

  1621. 

  1622. func validateFilters(user *User) error {
    1623. 

  1623. 	checkEmptyFiltersStruct(user)
    1624. 

  1624. 	user.Filters.DeniedIP = util.RemoveDuplicates(user.Filters.DeniedIP)
    1625. 

  1625. 	for _, IPMask := range user.Filters.DeniedIP {
    1626. 

  1626. 		_, _, err := net.ParseCIDR(IPMask)
    1627. 

  1627. 		if err != nil {
    1628. 

  1628. 			return util.NewValidationError(fmt.Sprintf("could not parse denied IP/Mask %#v : %v", IPMask, err))
    1629. 

  1629. 		}
    1630. 

  1630. 	}
    1631. 

  1631. 	user.Filters.AllowedIP = util.RemoveDuplicates(user.Filters.AllowedIP)
    1632. 

  1632. 	for _, IPMask := range user.Filters.AllowedIP {
    1633. 

  1633. 		_, _, err := net.ParseCIDR(IPMask)
    1634. 

  1634. 		if err != nil {
    1635. 

  1635. 			return util.NewValidationError(fmt.Sprintf("could not parse allowed IP/Mask %#v : %v", IPMask, err))
    1636. 

  1636. 		}
    1637. 

  1637. 	}
    1638. 

  1638. 	user.Filters.DeniedLoginMethods = util.RemoveDuplicates(user.Filters.DeniedLoginMethods)
    1639. 

  1639. 	if len(user.Filters.DeniedLoginMethods) >= len(ValidLoginMethods) {
    1640. 

  1640. 		return util.NewValidationError("invalid denied_login_methods")
    1641. 

  1641. 	}
    1642. 

  1642. 	for _, loginMethod := range user.Filters.DeniedLoginMethods {
    1643. 

  1643. 		if !util.IsStringInSlice(loginMethod, ValidLoginMethods) {
    1644. 

  1644. 			return util.NewValidationError(fmt.Sprintf("invalid login method: %#v", loginMethod))
    1645. 

  1645. 		}
    1646. 

  1646. 	}
    1647. 

  1647. 	user.Filters.DeniedProtocols = util.RemoveDuplicates(user.Filters.DeniedProtocols)
    1648. 

  1648. 	if len(user.Filters.DeniedProtocols) >= len(ValidProtocols) {
    1649. 

  1649. 		return util.NewValidationError("invalid denied_protocols")
    1650. 

  1650. 	}
    1651. 

  1651. 	for _, p := range user.Filters.DeniedProtocols {
    1652. 

  1652. 		if !util.IsStringInSlice(p, ValidProtocols) {
    1653. 

  1653. 			return util.NewValidationError(fmt.Sprintf("invalid protocol: %#v", p))
    1654. 

  1654. 		}
    1655. 

  1655. 	}
    1656. 

  1656. 	if user.Filters.TLSUsername != "" {
    1657. 

  1657. 		if !util.IsStringInSlice(string(user.Filters.TLSUsername), validTLSUsernames) {
    1658. 

  1658. 			return util.NewValidationError(fmt.Sprintf("invalid TLS username: %#v", user.Filters.TLSUsername))
    1659. 

  1659. 		}
    1660. 

  1660. 	}
    1661. 

  1661. 	user.Filters.WebClient = util.RemoveDuplicates(user.Filters.WebClient)
    1662. 

  1662. 	for _, opts := range user.Filters.WebClient {
    1663. 

  1663. 		if !util.IsStringInSlice(opts, sdk.WebClientOptions) {
    1664. 

  1664. 			return util.NewValidationError(fmt.Sprintf("invalid web client options %#v", opts))
    1665. 

  1665. 		}
    1666. 

  1666. 	}
    1667. 

  1667. 	return validateFiltersPatternExtensions(user)
    1668. 

  1668. }
    1669. 

  1669. 

  1670. func saveGCSCredentials(fsConfig *vfs.Filesystem, helper vfs.ValidatorHelper) error {
    1671. 

  1671. 	if fsConfig.Provider != sdk.GCSFilesystemProvider {
    1672. 

  1672. 		return nil
    1673. 

  1673. 	}
    1674. 

  1674. 	if fsConfig.GCSConfig.Credentials.GetPayload() == "" {
    1675. 

  1675. 		return nil
    1676. 

  1676. 	}
    1677. 

  1677. 	if config.PreferDatabaseCredentials {
    1678. 

  1678. 		if fsConfig.GCSConfig.Credentials.IsPlain() {
    1679. 

  1679. 			fsConfig.GCSConfig.Credentials.SetAdditionalData(helper.GetEncryptionAdditionalData())
    1680. 

  1680. 			err := fsConfig.GCSConfig.Credentials.Encrypt()
    1681. 

  1681. 			if err != nil {
    1682. 

  1682. 				return err
    1683. 

  1683. 			}
    1684. 

  1684. 		}
    1685. 

  1685. 		return nil
    1686. 

  1686. 	}
    1687. 

  1687. 	if fsConfig.GCSConfig.Credentials.IsPlain() {
    1688. 

  1688. 		fsConfig.GCSConfig.Credentials.SetAdditionalData(helper.GetEncryptionAdditionalData())
    1689. 

  1689. 		err := fsConfig.GCSConfig.Credentials.Encrypt()
    1690. 

  1690. 		if err != nil {
    1691. 

  1691. 			return util.NewValidationError(fmt.Sprintf("could not encrypt GCS credentials: %v", err))
    1692. 

  1692. 		}
    1693. 

  1693. 	}
    1694. 

  1694. 	creds, err := json.Marshal(fsConfig.GCSConfig.Credentials)
    1695. 

  1695. 	if err != nil {
    1696. 

  1696. 		return util.NewValidationError(fmt.Sprintf("could not marshal GCS credentials: %v", err))
    1697. 

  1697. 	}
    1698. 

  1698. 	credentialsFilePath := helper.GetGCSCredentialsFilePath()
    1699. 

  1699. 	err = os.MkdirAll(filepath.Dir(credentialsFilePath), 0700)
    1700. 

  1700. 	if err != nil {
    1701. 

  1701. 		return util.NewValidationError(fmt.Sprintf("could not create GCS credentials dir: %v", err))
    1702. 

  1702. 	}
    1703. 

  1703. 	err = os.WriteFile(credentialsFilePath, creds, 0600)
    1704. 

  1704. 	if err != nil {
    1705. 

  1705. 		return util.NewValidationError(fmt.Sprintf("could not save GCS credentials: %v", err))
    1706. 

  1706. 	}
    1707. 

  1707. 	fsConfig.GCSConfig.Credentials = kms.NewEmptySecret()
    1708. 

  1708. 	return nil
    1709. 

  1709. }
    1710. 

  1710. 

  1711. func validateBaseParams(user *User) error {
    1712. 

  1712. 	if user.Username == "" {
    1713. 

  1713. 		return util.NewValidationError("username is mandatory")
    1714. 

  1714. 	}
    1715. 

  1715. 	if user.Email != "" && !emailRegex.MatchString(user.Email) {
    1716. 

  1716. 		return util.NewValidationError(fmt.Sprintf("email %#v is not valid", user.Email))
    1717. 

  1717. 	}
    1718. 

  1718. 	if !config.SkipNaturalKeysValidation && !usernameRegex.MatchString(user.Username) {
    1719. 

  1719. 		return util.NewValidationError(fmt.Sprintf("username %#v is not valid, the following characters are allowed: a-zA-Z0-9-_.~",
    1720. 

  1720. 			user.Username))
    1721. 

  1721. 	}
    1722. 

  1722. 	if user.HomeDir == "" {
    1723. 

  1723. 		return util.NewValidationError("home_dir is mandatory")
    1724. 

  1724. 	}
    1725. 

  1725. 	if user.Password == "" && len(user.PublicKeys) == 0 {
    1726. 

  1726. 		return util.NewValidationError("please set a password or at least a public_key")
    1727. 

  1727. 	}
    1728. 

  1728. 	if !filepath.IsAbs(user.HomeDir) {
    1729. 

  1729. 		return util.NewValidationError(fmt.Sprintf("home_dir must be an absolute path, actual value: %v", user.HomeDir))
    1730. 

  1730. 	}
    1731. 

  1731. 	return nil
    1732. 

  1732. }
    1733. 

  1733. 

  1734. func createUserPasswordHash(user *User) error {
    1735. 

  1735. 	if user.Password != "" && !user.IsPasswordHashed() {
    1736. 

  1736. 		if config.PasswordValidation.Users.MinEntropy > 0 {
    1737. 

  1737. 			if err := passwordvalidator.Validate(user.Password, config.PasswordValidation.Users.MinEntropy); err != nil {
    1738. 

  1738. 				return util.NewValidationError(err.Error())
    1739. 

  1739. 			}
    1740. 

  1740. 		}
    1741. 

  1741. 		if config.PasswordHashing.Algo == HashingAlgoBcrypt {
    1742. 

  1742. 			pwd, err := bcrypt.GenerateFromPassword([]byte(user.Password), config.PasswordHashing.BcryptOptions.Cost)
    1743. 

  1743. 			if err != nil {
    1744. 

  1744. 				return err
    1745. 

  1745. 			}
    1746. 

  1746. 			user.Password = string(pwd)
    1747. 

  1747. 		} else {
    1748. 

  1748. 			pwd, err := argon2id.CreateHash(user.Password, argon2Params)
    1749. 

  1749. 			if err != nil {
    1750. 

  1750. 				return err
    1751. 

  1751. 			}
    1752. 

  1752. 			user.Password = pwd
    1753. 

  1753. 		}
    1754. 

  1754. 	}
    1755. 

  1755. 	return nil
    1756. 

  1756. }
    1757. 

  1757. 

  1758. // ValidateFolder returns an error if the folder is not valid
    1759. 

  1759. // FIXME: this should be defined as Folder struct method
    1760. 

  1760. func ValidateFolder(folder *vfs.BaseVirtualFolder) error {
    1761. 

  1761. 	folder.FsConfig.SetEmptySecretsIfNil()
    1762. 

  1762. 	if folder.Name == "" {
    1763. 

  1763. 		return util.NewValidationError("folder name is mandatory")
    1764. 

  1764. 	}
    1765. 

  1765. 	if !config.SkipNaturalKeysValidation && !usernameRegex.MatchString(folder.Name) {
    1766. 

  1766. 		return util.NewValidationError(fmt.Sprintf("folder name %#v is not valid, the following characters are allowed: a-zA-Z0-9-_.~",
    1767. 

  1767. 			folder.Name))
    1768. 

  1768. 	}
    1769. 

  1769. 	if folder.FsConfig.Provider == sdk.LocalFilesystemProvider || folder.FsConfig.Provider == sdk.CryptedFilesystemProvider ||
    1770. 

  1770. 		folder.MappedPath != "" {
    1771. 

  1771. 		cleanedMPath := filepath.Clean(folder.MappedPath)
    1772. 

  1772. 		if !filepath.IsAbs(cleanedMPath) {
    1773. 

  1773. 			return util.NewValidationError(fmt.Sprintf("invalid folder mapped path %#v", folder.MappedPath))
    1774. 

  1774. 		}
    1775. 

  1775. 		folder.MappedPath = cleanedMPath
    1776. 

  1776. 	}
    1777. 

  1777. 	if folder.HasRedactedSecret() {
    1778. 

  1778. 		return errors.New("cannot save a folder with a redacted secret")
    1779. 

  1779. 	}
    1780. 

  1780. 	if err := folder.FsConfig.Validate(folder); err != nil {
    1781. 

  1781. 		return err
    1782. 

  1782. 	}
    1783. 

  1783. 	return saveGCSCredentials(&folder.FsConfig, folder)
    1784. 

  1784. }
    1785. 

  1785. 

  1786. // ValidateUser returns an error if the user is not valid
    1787. 

  1787. // FIXME: this should be defined as User struct method
    1788. 

  1788. func ValidateUser(user *User) error {
    1789. 

  1789. 	user.SetEmptySecretsIfNil()
    1790. 

  1790. 	buildUserHomeDir(user)
    1791. 

  1791. 	if err := validateBaseParams(user); err != nil {
    1792. 

  1792. 		return err
    1793. 

  1793. 	}
    1794. 

  1794. 	if err := validatePermissions(user); err != nil {
    1795. 

  1795. 		return err
    1796. 

  1796. 	}
    1797. 

  1797. 	if user.hasRedactedSecret() {
    1798. 

  1798. 		return util.NewValidationError("cannot save a user with a redacted secret")
    1799. 

  1799. 	}
    1800. 

  1800. 	if err := validateUserTOTPConfig(&user.Filters.TOTPConfig, user.Username); err != nil {
    1801. 

  1801. 		return err
    1802. 

  1802. 	}
    1803. 

  1803. 	if err := validateUserRecoveryCodes(user); err != nil {
    1804. 

  1804. 		return err
    1805. 

  1805. 	}
    1806. 

  1806. 	if err := user.FsConfig.Validate(user); err != nil {
    1807. 

  1807. 		return err
    1808. 

  1808. 	}
    1809. 

  1809. 	if err := validateUserVirtualFolders(user); err != nil {
    1810. 

  1810. 		return err
    1811. 

  1811. 	}
    1812. 

  1812. 	if user.Status < 0 || user.Status > 1 {
    1813. 

  1813. 		return util.NewValidationError(fmt.Sprintf("invalid user status: %v", user.Status))
    1814. 

  1814. 	}
    1815. 

  1815. 	if err := createUserPasswordHash(user); err != nil {
    1816. 

  1816. 		return err
    1817. 

  1817. 	}
    1818. 

  1818. 	if err := validatePublicKeys(user); err != nil {
    1819. 

  1819. 		return err
    1820. 

  1820. 	}
    1821. 

  1821. 	if err := validateFilters(user); err != nil {
    1822. 

  1822. 		return err
    1823. 

  1823. 	}
    1824. 

  1824. 	if user.Filters.TOTPConfig.Enabled && util.IsStringInSlice(sdk.WebClientMFADisabled, user.Filters.WebClient) {
    1825. 

  1825. 		return util.NewValidationError("multi-factor authentication cannot be disabled for a user with an active configuration")
    1826. 

  1826. 	}
    1827. 

  1827. 	return saveGCSCredentials(&user.FsConfig, user)
    1828. 

  1828. }
    1829. 

  1829. 

  1830. func isPasswordOK(user *User, password string) (bool, error) {
    1831. 

  1831. 	if config.PasswordCaching {
    1832. 

  1832. 		found, match := cachedPasswords.Check(user.Username, password)
    1833. 

  1833. 		if found {
    1834. 

  1834. 			return match, nil
    1835. 

  1835. 		}
    1836. 

  1836. 	}
    1837. 

  1837. 

  1838. 	match := false
    1839. 

  1839. 	var err error
    1840. 

  1840. 	if strings.HasPrefix(user.Password, bcryptPwdPrefix) {
    1841. 

  1841. 		if err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password)); err != nil {
    1842. 

  1842. 			return match, ErrInvalidCredentials
    1843. 

  1843. 		}
    1844. 

  1844. 		match = true
    1845. 

  1845. 	} else if strings.HasPrefix(user.Password, argonPwdPrefix) {
    1846. 

  1846. 		match, err = argon2id.ComparePasswordAndHash(password, user.Password)
    1847. 

  1847. 		if err != nil {
    1848. 

  1848. 			providerLog(logger.LevelWarn, "error comparing password with argon hash: %v", err)
    1849. 

  1849. 			return match, err
    1850. 

  1850. 		}
    1851. 

  1851. 	} else if util.IsStringPrefixInSlice(user.Password, pbkdfPwdPrefixes) {
    1852. 

  1852. 		match, err = comparePbkdf2PasswordAndHash(password, user.Password)
    1853. 

  1853. 		if err != nil {
    1854. 

  1854. 			return match, err
    1855. 

  1855. 		}
    1856. 

  1856. 	} else if util.IsStringPrefixInSlice(user.Password, unixPwdPrefixes) {
    1857. 

  1857. 		match, err = compareUnixPasswordAndHash(user, password)
    1858. 

  1858. 		if err != nil {
    1859. 

  1859. 			return match, err
    1860. 

  1860. 		}
    1861. 

  1861. 	}
    1862. 

  1862. 	if err == nil && match {
    1863. 

  1863. 		cachedPasswords.Add(user.Username, password)
    1864. 

  1864. 	}
    1865. 

  1865. 	return match, err
    1866. 

  1866. }
    1867. 

  1867. 

  1868. func checkUserAndTLSCertificate(user *User, protocol string, tlsCert *x509.Certificate) (User, error) {
    1869. 

  1869. 	err := user.CheckLoginConditions()
    1870. 

  1870. 	if err != nil {
    1871. 

  1871. 		return *user, err
    1872. 

  1872. 	}
    1873. 

  1873. 	switch protocol {
    1874. 

  1874. 	case protocolFTP, protocolWebDAV:
    1875. 

  1875. 		if user.Filters.TLSUsername == sdk.TLSUsernameCN {
    1876. 

  1876. 			if user.Username == tlsCert.Subject.CommonName {
    1877. 

  1877. 				return *user, nil
    1878. 

  1878. 			}
    1879. 

  1879. 			return *user, fmt.Errorf("CN %#v does not match username %#v", tlsCert.Subject.CommonName, user.Username)
    1880. 

  1880. 		}
    1881. 

  1881. 		return *user, errors.New("TLS certificate is not valid")
    1882. 

  1882. 	default:
    1883. 

  1883. 		return *user, fmt.Errorf("certificate authentication is not supported for protocol %v", protocol)
    1884. 

  1884. 	}
    1885. 

  1885. }
    1886. 

  1886. 

  1887. func checkUserAndPass(user *User, password, ip, protocol string) (User, error) {
    1888. 

  1888. 	err := user.CheckLoginConditions()
    1889. 

  1889. 	if err != nil {
    1890. 

  1890. 		return *user, err
    1891. 

  1891. 	}
    1892. 

  1892. 	password, err = checkUserPasscode(user, password, protocol)
    1893. 

  1893. 	if err != nil {
    1894. 

  1894. 		return *user, ErrInvalidCredentials
    1895. 

  1895. 	}
    1896. 

  1896. 	if user.Password == "" {
    1897. 

  1897. 		return *user, errors.New("credentials cannot be null or empty")
    1898. 

  1898. 	}
    1899. 

  1899. 	if !user.Filters.Hooks.CheckPasswordDisabled {
    1900. 

  1900. 		hookResponse, err := executeCheckPasswordHook(user.Username, password, ip, protocol)
    1901. 

  1901. 		if err != nil {
    1902. 

  1902. 			providerLog(logger.LevelDebug, "error executing check password hook for user %#v, ip %v, protocol %v: %v",
    1903. 

  1903. 				user.Username, ip, protocol, err)
    1904. 

  1904. 			return *user, errors.New("unable to check credentials")
    1905. 

  1905. 		}
    1906. 

  1906. 		switch hookResponse.Status {
    1907. 

  1907. 		case -1:
    1908. 

  1908. 			// no hook configured
    1909. 

  1909. 		case 1:
    1910. 

  1910. 			providerLog(logger.LevelDebug, "password accepted by check password hook for user %#v, ip %v, protocol %v",
    1911. 

  1911. 				user.Username, ip, protocol)
    1912. 

  1912. 			return *user, nil
    1913. 

  1913. 		case 2:
    1914. 

  1914. 			providerLog(logger.LevelDebug, "partial success from check password hook for user %#v, ip %v, protocol %v",
    1915. 

  1915. 				user.Username, ip, protocol)
    1916. 

  1916. 			password = hookResponse.ToVerify
    1917. 

  1917. 		default:
    1918. 

  1918. 			providerLog(logger.LevelDebug, "password rejected by check password hook for user %#v, ip %v, protocol %v, status: %v",
    1919. 

  1919. 				user.Username, ip, protocol, hookResponse.Status)
    1920. 

  1920. 			return *user, ErrInvalidCredentials
    1921. 

  1921. 		}
    1922. 

  1922. 	}
    1923. 

  1923. 

  1924. 	match, err := isPasswordOK(user, password)
    1925. 

  1925. 	if !match {
    1926. 

  1926. 		err = ErrInvalidCredentials
    1927. 

  1927. 	}
    1928. 

  1928. 	return *user, err
    1929. 

  1929. }
    1930. 

  1930. 

  1931. func checkUserPasscode(user *User, password, protocol string) (string, error) {
    1932. 

  1932. 	if user.Filters.TOTPConfig.Enabled {
    1933. 

  1933. 		switch protocol {
    1934. 

  1934. 		case protocolFTP:
    1935. 

  1935. 			if util.IsStringInSlice(protocol, user.Filters.TOTPConfig.Protocols) {
    1936. 

  1936. 				// the TOTP passcode has six digits
    1937. 

  1937. 				pwdLen := len(password)
    1938. 

  1938. 				if pwdLen < 7 {
    1939. 

  1939. 					providerLog(logger.LevelDebug, "password len %v is too short to contain a passcode, user %#v, protocol %v",
    1940. 

  1940. 						pwdLen, user.Username, protocol)
    1941. 

  1941. 					return "", util.NewValidationError("password too short, cannot contain the passcode")
    1942. 

  1942. 				}
    1943. 

  1943. 				err := user.Filters.TOTPConfig.Secret.TryDecrypt()
    1944. 

  1944. 				if err != nil {
    1945. 

  1945. 					providerLog(logger.LevelWarn, "unable to decrypt TOTP secret for user %#v, protocol %v, err: %v",
    1946. 

  1946. 						user.Username, protocol, err)
    1947. 

  1947. 					return "", err
    1948. 

  1948. 				}
    1949. 

  1949. 				pwd := password[0:(pwdLen - 6)]
    1950. 

  1950. 				passcode := password[(pwdLen - 6):]
    1951. 

  1951. 				match, err := mfa.ValidateTOTPPasscode(user.Filters.TOTPConfig.ConfigName, passcode,
    1952. 

  1952. 					user.Filters.TOTPConfig.Secret.GetPayload())
    1953. 

  1953. 				if !match || err != nil {
    1954. 

  1954. 					providerLog(logger.LevelWarn, "invalid passcode for user %#v, protocol %v, err: %v",
    1955. 

  1955. 						user.Username, protocol, err)
    1956. 

  1956. 					return "", util.NewValidationError("invalid passcode")
    1957. 

  1957. 				}
    1958. 

  1958. 				return pwd, nil
    1959. 

  1959. 			}
    1960. 

  1960. 		}
    1961. 

  1961. 	}
    1962. 

  1962. 	return password, nil
    1963. 

  1963. }
    1964. 

  1964. 

  1965. func checkUserAndPubKey(user *User, pubKey []byte) (User, string, error) {
    1966. 

  1966. 	err := user.CheckLoginConditions()
    1967. 

  1967. 	if err != nil {
    1968. 

  1968. 		return *user, "", err
    1969. 

  1969. 	}
    1970. 

  1970. 	if len(user.PublicKeys) == 0 {
    1971. 

  1971. 		return *user, "", ErrInvalidCredentials
    1972. 

  1972. 	}
    1973. 

  1973. 	for i, k := range user.PublicKeys {
    1974. 

  1974. 		storedPubKey, comment, _, _, err := ssh.ParseAuthorizedKey([]byte(k))
    1975. 

  1975. 		if err != nil {
    1976. 

  1976. 			providerLog(logger.LevelWarn, "error parsing stored public key %d for user %v: %v", i, user.Username, err)
    1977. 

  1977. 			return *user, "", err
    1978. 

  1978. 		}
    1979. 

  1979. 		if bytes.Equal(storedPubKey.Marshal(), pubKey) {
    1980. 

  1980. 			certInfo := ""
    1981. 

  1981. 			cert, ok := storedPubKey.(*ssh.Certificate)
    1982. 

  1982. 			if ok {
    1983. 

  1983. 				certInfo = fmt.Sprintf(" %v ID: %v Serial: %v CA: %v", cert.Type(), cert.KeyId, cert.Serial,
    1984. 

  1984. 					ssh.FingerprintSHA256(cert.SignatureKey))
    1985. 

  1985. 			}
    1986. 

  1986. 			return *user, fmt.Sprintf("%v:%v%v", ssh.FingerprintSHA256(storedPubKey), comment, certInfo), nil
    1987. 

  1987. 		}
    1988. 

  1988. 	}
    1989. 

  1989. 	return *user, "", ErrInvalidCredentials
    1990. 

  1990. }
    1991. 

  1991. 

  1992. func compareUnixPasswordAndHash(user *User, password string) (bool, error) {
    1993. 

  1993. 	var crypter crypt.Crypter
    1994. 

  1994. 	if strings.HasPrefix(user.Password, sha512cryptPwdPrefix) {
    1995. 

  1995. 		crypter = sha512_crypt.New()
    1996. 

  1996. 	} else if strings.HasPrefix(user.Password, md5cryptPwdPrefix) {
    1997. 

  1997. 		crypter = md5_crypt.New()
    1998. 

  1998. 	} else if strings.HasPrefix(user.Password, md5cryptApr1PwdPrefix) {
    1999. 

  1999. 		crypter = apr1_crypt.New()
    2000. 

  2000. 	} else {
    2001. 

  2001. 		return false, errors.New("unix crypt: invalid or unsupported hash format")
    2002. 

  2002. 	}
    2003. 

  2003. 	if err := crypter.Verify(user.Password, []byte(password)); err != nil {
    2004. 

  2004. 		return false, err
    2005. 

  2005. 	}
    2006. 

  2006. 	return true, nil
    2007. 

  2007. }
    2008. 

  2008. 

  2009. func comparePbkdf2PasswordAndHash(password, hashedPassword string) (bool, error) {
    2010. 

  2010. 	vals := strings.Split(hashedPassword, "$")
    2011. 

  2011. 	if len(vals) != 5 {
    2012. 

  2012. 		return false, fmt.Errorf("pbkdf2: hash is not in the correct format")
    2013. 

  2013. 	}
    2014. 

  2014. 	iterations, err := strconv.Atoi(vals[2])
    2015. 

  2015. 	if err != nil {
    2016. 

  2016. 		return false, err
    2017. 

  2017. 	}
    2018. 

  2018. 	expected, err := base64.StdEncoding.DecodeString(vals[4])
    2019. 

  2019. 	if err != nil {
    2020. 

  2020. 		return false, err
    2021. 

  2021. 	}
    2022. 

  2022. 	var salt []byte
    2023. 

  2023. 	if util.IsStringPrefixInSlice(hashedPassword, pbkdfPwdB64SaltPrefixes) {
    2024. 

  2024. 		salt, err = base64.StdEncoding.DecodeString(vals[3])
    2025. 

  2025. 		if err != nil {
    2026. 

  2026. 			return false, err
    2027. 

  2027. 		}
    2028. 

  2028. 	} else {
    2029. 

  2029. 		salt = []byte(vals[3])
    2030. 

  2030. 	}
    2031. 

  2031. 	var hashFunc func() hash.Hash
    2032. 

  2032. 	if strings.HasPrefix(hashedPassword, pbkdf2SHA256Prefix) || strings.HasPrefix(hashedPassword, pbkdf2SHA256B64SaltPrefix) {
    2033. 

  2033. 		hashFunc = sha256.New
    2034. 

  2034. 	} else if strings.HasPrefix(hashedPassword, pbkdf2SHA512Prefix) {
    2035. 

  2035. 		hashFunc = sha512.New
    2036. 

  2036. 	} else if strings.HasPrefix(hashedPassword, pbkdf2SHA1Prefix) {
    2037. 

  2037. 		hashFunc = sha1.New
    2038. 

  2038. 	} else {
    2039. 

  2039. 		return false, fmt.Errorf("pbkdf2: invalid or unsupported hash format %v", vals[1])
    2040. 

  2040. 	}
    2041. 

  2041. 	df := pbkdf2.Key([]byte(password), salt, iterations, len(expected), hashFunc)
    2042. 

  2042. 	return subtle.ConstantTimeCompare(df, expected) == 1, nil
    2043. 

  2043. }
    2044. 

  2044. 

  2045. func addCredentialsToUser(user *User) error {
    2046. 

  2046. 	if err := addFolderCredentialsToUser(user); err != nil {
    2047. 

  2047. 		return err
    2048. 

  2048. 	}
    2049. 

  2049. 	if user.FsConfig.Provider != sdk.GCSFilesystemProvider {
    2050. 

  2050. 		return nil
    2051. 

  2051. 	}
    2052. 

  2052. 	if user.FsConfig.GCSConfig.AutomaticCredentials > 0 {
    2053. 

  2053. 		return nil
    2054. 

  2054. 	}
    2055. 

  2055. 

  2056. 	// Don't read from file if credentials have already been set
    2057. 

  2057. 	if user.FsConfig.GCSConfig.Credentials.IsValid() {
    2058. 

  2058. 		return nil
    2059. 

  2059. 	}
    2060. 

  2060. 

  2061. 	cred, err := os.ReadFile(user.GetGCSCredentialsFilePath())
    2062. 

  2062. 	if err != nil {
    2063. 

  2063. 		return err
    2064. 

  2064. 	}
    2065. 

  2065. 	return json.Unmarshal(cred, &user.FsConfig.GCSConfig.Credentials)
    2066. 

  2066. }
    2067. 

  2067. 

  2068. func addFolderCredentialsToUser(user *User) error {
    2069. 

  2069. 	for idx := range user.VirtualFolders {
    2070. 

  2070. 		f := &user.VirtualFolders[idx]
    2071. 

  2071. 		if f.FsConfig.Provider != sdk.GCSFilesystemProvider {
    2072. 

  2072. 			continue
    2073. 

  2073. 		}
    2074. 

  2074. 		if f.FsConfig.GCSConfig.AutomaticCredentials > 0 {
    2075. 

  2075. 			continue
    2076. 

  2076. 		}
    2077. 

  2077. 		// Don't read from file if credentials have already been set
    2078. 

  2078. 		if f.FsConfig.GCSConfig.Credentials.IsValid() {
    2079. 

  2079. 			continue
    2080. 

  2080. 		}
    2081. 

  2081. 		cred, err := os.ReadFile(f.GetGCSCredentialsFilePath())
    2082. 

  2082. 		if err != nil {
    2083. 

  2083. 			return err
    2084. 

  2084. 		}
    2085. 

  2085. 		err = json.Unmarshal(cred, f.FsConfig.GCSConfig.Credentials)
    2086. 

  2086. 		if err != nil {
    2087. 

  2087. 			return err
    2088. 

  2088. 		}
    2089. 

  2089. 	}
    2090. 

  2090. 	return nil
    2091. 

  2091. }
    2092. 

  2092. 

  2093. func getSSLMode() string {
    2094. 

  2094. 	if config.Driver == PGSQLDataProviderName || config.Driver == CockroachDataProviderName {
    2095. 

  2095. 		if config.SSLMode == 0 {
    2096. 

  2096. 			return "disable"
    2097. 

  2097. 		} else if config.SSLMode == 1 {
    2098. 

  2098. 			return "require"
    2099. 

  2099. 		} else if config.SSLMode == 2 {
    2100. 

  2100. 			return "verify-ca"
    2101. 

  2101. 		} else if config.SSLMode == 3 {
    2102. 

  2102. 			return "verify-full"
    2103. 

  2103. 		}
    2104. 

  2104. 	} else if config.Driver == MySQLDataProviderName {
    2105. 

  2105. 		if config.SSLMode == 0 {
    2106. 

  2106. 			return "false"
    2107. 

  2107. 		} else if config.SSLMode == 1 {
    2108. 

  2108. 			return "true"
    2109. 

  2109. 		} else if config.SSLMode == 2 {
    2110. 

  2110. 			return "skip-verify"
    2111. 

  2111. 		} else if config.SSLMode == 3 {
    2112. 

  2112. 			return "preferred"
    2113. 

  2113. 		}
    2114. 

  2114. 	}
    2115. 

  2115. 	return ""
    2116. 

  2116. }
    2117. 

  2117. 

  2118. func checkCacheUpdates() {
    2119. 

  2119. 	providerLog(logger.LevelDebug, "start caches check, update time %v", util.GetTimeFromMsecSinceEpoch(lastCachesUpdate))
    2120. 

  2120. 	checkTime := util.GetTimeAsMsSinceEpoch(time.Now())
    2121. 

  2121. 	users, err := provider.getRecentlyUpdatedUsers(lastCachesUpdate)
    2122. 

  2122. 	if err != nil {
    2123. 

  2123. 		providerLog(logger.LevelWarn, "unable to get recently updated users: %v", err)
    2124. 

  2124. 		return
    2125. 

  2125. 	}
    2126. 

  2126. 	for _, user := range users {
    2127. 

  2127. 		providerLog(logger.LevelDebug, "invalidate caches for user %#v", user.Username)
    2128. 

  2128. 		webDAVUsersCache.swap(&user)
    2129. 

  2129. 		cachedPasswords.Remove(user.Username)
    2130. 

  2130. 	}
    2131. 

  2131. 

  2132. 	lastCachesUpdate = checkTime
    2133. 

  2133. 	providerLog(logger.LevelDebug, "end caches check, new update time %v", util.GetTimeFromMsecSinceEpoch(lastCachesUpdate))
    2134. 

  2134. }
    2135. 

  2135. 

  2136. func startUpdateCachesTimer() {
    2137. 

  2137. 	if config.IsShared == 0 {
    2138. 

  2138. 		return
    2139. 

  2139. 	}
    2140. 

  2140. 	if !util.IsStringInSlice(config.Driver, sharedProviders) {
    2141. 

  2141. 		providerLog(logger.LevelWarn, "update caches not supported for provider %v", config.Driver)
    2142. 

  2142. 		return
    2143. 

  2143. 	}
    2144. 

  2144. 	lastCachesUpdate = util.GetTimeAsMsSinceEpoch(time.Now())
    2145. 

  2145. 	providerLog(logger.LevelDebug, "update caches check started for provider %v", config.Driver)
    2146. 

  2146. 	updateCachesTicker = time.NewTicker(10 * time.Minute)
    2147. 

  2147. 	updateCachesTickerDone = make(chan bool)
    2148. 

  2148. 

  2149. 	go func() {
    2150. 

  2150. 		for {
    2151. 

  2151. 			select {
    2152. 

  2152. 			case <-updateCachesTickerDone:
    2153. 

  2153. 				return
    2154. 

  2154. 			case <-updateCachesTicker.C:
    2155. 

  2155. 				checkCacheUpdates()
    2156. 

  2156. 			}
    2157. 

  2157. 		}
    2158. 

  2158. 	}()
    2159. 

  2159. }
    2160. 

  2160. 

  2161. func startAvailabilityTimer() {
    2162. 

  2162. 	availabilityTicker = time.NewTicker(30 * time.Second)
    2163. 

  2163. 	availabilityTickerDone = make(chan bool)
    2164. 

  2164. 	checkDataprovider()
    2165. 

  2165. 	go func() {
    2166. 

  2166. 		for {
    2167. 

  2167. 			select {
    2168. 

  2168. 			case <-availabilityTickerDone:
    2169. 

  2169. 				return
    2170. 

  2170. 			case <-availabilityTicker.C:
    2171. 

  2171. 				checkDataprovider()
    2172. 

  2172. 			}
    2173. 

  2173. 		}
    2174. 

  2174. 	}()
    2175. 

  2175. }
    2176. 

  2176. 

  2177. func checkDataprovider() {
    2178. 

  2178. 	err := provider.checkAvailability()
    2179. 

  2179. 	if err != nil {
    2180. 

  2180. 		providerLog(logger.LevelWarn, "check availability error: %v", err)
    2181. 

  2181. 	}
    2182. 

  2182. 	metric.UpdateDataProviderAvailability(err)
    2183. 

  2183. }
    2184. 

  2184. 

  2185. func terminateInteractiveAuthProgram(cmd *exec.Cmd, isFinished bool) {
    2186. 

  2186. 	if isFinished {
    2187. 

  2187. 		return
    2188. 

  2188. 	}
    2189. 

  2189. 	providerLog(logger.LevelInfo, "kill interactive auth program after an unexpected error")
    2190. 

  2190. 	err := cmd.Process.Kill()
    2191. 

  2191. 	if err != nil {
    2192. 

  2192. 		providerLog(logger.LevelDebug, "error killing interactive auth program: %v", err)
    2193. 

  2193. 	}
    2194. 

  2194. }
    2195. 

  2195. 

  2196. func sendKeyboardAuthHTTPReq(url string, request *plugin.KeyboardAuthRequest) (*plugin.KeyboardAuthResponse, error) {
    2197. 

  2197. 	reqAsJSON, err := json.Marshal(request)
    2198. 

  2198. 	if err != nil {
    2199. 

  2199. 		providerLog(logger.LevelWarn, "error serializing keyboard interactive auth request: %v", err)
    2200. 

  2200. 		return nil, err
    2201. 

  2201. 	}
    2202. 

  2202. 	resp, err := httpclient.Post(url, "application/json", bytes.NewBuffer(reqAsJSON))
    2203. 

  2203. 	if err != nil {
    2204. 

  2204. 		providerLog(logger.LevelWarn, "error getting keyboard interactive auth hook HTTP response: %v", err)
    2205. 

  2205. 		return nil, err
    2206. 

  2206. 	}
    2207. 

  2207. 	defer resp.Body.Close()
    2208. 

  2208. 	if resp.StatusCode != http.StatusOK {
    2209. 

  2209. 		return nil, fmt.Errorf("wrong keyboard interactive auth http status code: %v, expected 200", resp.StatusCode)
    2210. 

  2210. 	}
    2211. 

  2211. 	var response plugin.KeyboardAuthResponse
    2212. 

  2212. 	err = render.DecodeJSON(resp.Body, &response)
    2213. 

  2213. 	return &response, err
    2214. 

  2214. }
    2215. 

  2215. 

  2216. func doBuiltinKeyboardInteractiveAuth(user *User, client ssh.KeyboardInteractiveChallenge, ip, protocol string) (int, error) {
    2217. 

  2217. 	answers, err := client(user.Username, "", []string{"Password: "}, []bool{false})
    2218. 

  2218. 	if err != nil {
    2219. 

  2219. 		return 0, err
    2220. 

  2220. 	}
    2221. 

  2221. 	if len(answers) != 1 {
    2222. 

  2222. 		return 0, fmt.Errorf("unexpected number of answers: %v", len(answers))
    2223. 

  2223. 	}
    2224. 

  2224. 	_, err = checkUserAndPass(user, answers[0], ip, protocol)
    2225. 

  2225. 	if err != nil {
    2226. 

  2226. 		return 0, err
    2227. 

  2227. 	}
    2228. 

  2228. 	if !user.Filters.TOTPConfig.Enabled || !util.IsStringInSlice(protocolSSH, user.Filters.TOTPConfig.Protocols) {
    2229. 

  2229. 		return 1, nil
    2230. 

  2230. 	}
    2231. 

  2231. 	err = user.Filters.TOTPConfig.Secret.TryDecrypt()
    2232. 

  2232. 	if err != nil {
    2233. 

  2233. 		providerLog(logger.LevelWarn, "unable to decrypt TOTP secret for user %#v, protocol %v, err: %v",
    2234. 

  2234. 			user.Username, protocol, err)
    2235. 

  2235. 		return 0, err
    2236. 

  2236. 	}
    2237. 

  2237. 	answers, err = client(user.Username, "", []string{"Authentication code: "}, []bool{false})
    2238. 

  2238. 	if err != nil {
    2239. 

  2239. 		return 0, err
    2240. 

  2240. 	}
    2241. 

  2241. 	if len(answers) != 1 {
    2242. 

  2242. 		return 0, fmt.Errorf("unexpected number of answers: %v", len(answers))
    2243. 

  2243. 	}
    2244. 

  2244. 	match, err := mfa.ValidateTOTPPasscode(user.Filters.TOTPConfig.ConfigName, answers[0],
    2245. 

  2245. 		user.Filters.TOTPConfig.Secret.GetPayload())
    2246. 

  2246. 	if !match || err != nil {
    2247. 

  2247. 		providerLog(logger.LevelWarn, "invalid passcode for user %#v, protocol %v, err: %v",
    2248. 

  2248. 			user.Username, protocol, err)
    2249. 

  2249. 		return 0, util.NewValidationError("invalid passcode")
    2250. 

  2250. 	}
    2251. 

  2251. 	return 1, nil
    2252. 

  2252. }
    2253. 

  2253. 

  2254. func executeKeyboardInteractivePlugin(user *User, client ssh.KeyboardInteractiveChallenge, ip, protocol string) (int, error) {
    2255. 

  2255. 	authResult := 0
    2256. 

  2256. 	requestID := xid.New().String()
    2257. 

  2257. 	authStep := 1
    2258. 

  2258. 	req := &plugin.KeyboardAuthRequest{
    2259. 

  2259. 		Username:  user.Username,
    2260. 

  2260. 		IP:        ip,
    2261. 

  2261. 		Password:  user.Password,
    2262. 

  2262. 		RequestID: requestID,
    2263. 

  2263. 		Step:      authStep,
    2264. 

  2264. 	}
    2265. 

  2265. 	var response *plugin.KeyboardAuthResponse
    2266. 

  2266. 	var err error
    2267. 

  2267. 	for {
    2268. 

  2268. 		response, err = plugin.Handler.ExecuteKeyboardInteractiveStep(req)
    2269. 

  2269. 		if err != nil {
    2270. 

  2270. 			return authResult, err
    2271. 

  2271. 		}
    2272. 

  2272. 		if response.AuthResult != 0 {
    2273. 

  2273. 			return response.AuthResult, err
    2274. 

  2274. 		}
    2275. 

  2275. 		if err = response.Validate(); err != nil {
    2276. 

  2276. 			providerLog(logger.LevelInfo, "invalid response from keyboard interactive plugin: %v", err)
    2277. 

  2277. 			return authResult, err
    2278. 

  2278. 		}
    2279. 

  2279. 		answers, err := getKeyboardInteractiveAnswers(client, response, user, ip, protocol)
    2280. 

  2280. 		if err != nil {
    2281. 

  2281. 			return authResult, err
    2282. 

  2282. 		}
    2283. 

  2283. 		authStep++
    2284. 

  2284. 		req = &plugin.KeyboardAuthRequest{
    2285. 

  2285. 			RequestID: requestID,
    2286. 

  2286. 			Step:      authStep,
    2287. 

  2287. 			Username:  user.Username,
    2288. 

  2288. 			Password:  user.Password,
    2289. 

  2289. 			Answers:   answers,
    2290. 

  2290. 			Questions: response.Questions,
    2291. 

  2291. 		}
    2292. 

  2292. 	}
    2293. 

  2293. }
    2294. 

  2294. 

  2295. func executeKeyboardInteractiveHTTPHook(user *User, authHook string, client ssh.KeyboardInteractiveChallenge, ip, protocol string) (int, error) {
    2296. 

  2296. 	authResult := 0
    2297. 

  2297. 	requestID := xid.New().String()
    2298. 

  2298. 	authStep := 1
    2299. 

  2299. 	req := &plugin.KeyboardAuthRequest{
    2300. 

  2300. 		Username:  user.Username,
    2301. 

  2301. 		IP:        ip,
    2302. 

  2302. 		Password:  user.Password,
    2303. 

  2303. 		RequestID: requestID,
    2304. 

  2304. 		Step:      authStep,
    2305. 

  2305. 	}
    2306. 

  2306. 	var response *plugin.KeyboardAuthResponse
    2307. 

  2307. 	var err error
    2308. 

  2308. 	for {
    2309. 

  2309. 		response, err = sendKeyboardAuthHTTPReq(authHook, req)
    2310. 

  2310. 		if err != nil {
    2311. 

  2311. 			return authResult, err
    2312. 

  2312. 		}
    2313. 

  2313. 		if response.AuthResult != 0 {
    2314. 

  2314. 			return response.AuthResult, err
    2315. 

  2315. 		}
    2316. 

  2316. 		if err = response.Validate(); err != nil {
    2317. 

  2317. 			providerLog(logger.LevelInfo, "invalid response from keyboard interactive http hook: %v", err)
    2318. 

  2318. 			return authResult, err
    2319. 

  2319. 		}
    2320. 

  2320. 		answers, err := getKeyboardInteractiveAnswers(client, response, user, ip, protocol)
    2321. 

  2321. 		if err != nil {
    2322. 

  2322. 			return authResult, err
    2323. 

  2323. 		}
    2324. 

  2324. 		authStep++
    2325. 

  2325. 		req = &plugin.KeyboardAuthRequest{
    2326. 

  2326. 			RequestID: requestID,
    2327. 

  2327. 			Step:      authStep,
    2328. 

  2328. 			Username:  user.Username,
    2329. 

  2329. 			Password:  user.Password,
    2330. 

  2330. 			Answers:   answers,
    2331. 

  2331. 			Questions: response.Questions,
    2332. 

  2332. 		}
    2333. 

  2333. 	}
    2334. 

  2334. }
    2335. 

  2335. 

  2336. func getKeyboardInteractiveAnswers(client ssh.KeyboardInteractiveChallenge, response *plugin.KeyboardAuthResponse,
    2337. 

  2337. 	user *User, ip, protocol string,
    2338. 

  2338. ) ([]string, error) {
    2339. 

  2339. 	questions := response.Questions
    2340. 

  2340. 	answers, err := client(user.Username, response.Instruction, questions, response.Echos)
    2341. 

  2341. 	if err != nil {
    2342. 

  2342. 		providerLog(logger.LevelInfo, "error getting interactive auth client response: %v", err)
    2343. 

  2343. 		return answers, err
    2344. 

  2344. 	}
    2345. 

  2345. 	if len(answers) != len(questions) {
    2346. 

  2346. 		err = fmt.Errorf("client answers does not match questions, expected: %v actual: %v", questions, answers)
    2347. 

  2347. 		providerLog(logger.LevelInfo, "keyboard interactive auth error: %v", err)
    2348. 

  2348. 		return answers, err
    2349. 

  2349. 	}
    2350. 

  2350. 	if len(answers) == 1 && response.CheckPwd > 0 {
    2351. 

  2351. 		if response.CheckPwd == 2 {
    2352. 

  2352. 			if !user.Filters.TOTPConfig.Enabled || !util.IsStringInSlice(protocolSSH, user.Filters.TOTPConfig.Protocols) {
    2353. 

  2353. 				providerLog(logger.LevelInfo, "keyboard interactive auth error: unable to check TOTP passcode, TOTP is not enabled for user %#v",
    2354. 

  2354. 					user.Username)
    2355. 

  2355. 				return answers, errors.New("TOTP not enabled for SSH protocol")
    2356. 

  2356. 			}
    2357. 

  2357. 			err := user.Filters.TOTPConfig.Secret.TryDecrypt()
    2358. 

  2358. 			if err != nil {
    2359. 

  2359. 				providerLog(logger.LevelWarn, "unable to decrypt TOTP secret for user %#v, protocol %v, err: %v",
    2360. 

  2360. 					user.Username, protocol, err)
    2361. 

  2361. 				return answers, fmt.Errorf("unable to decrypt TOTP secret: %w", err)
    2362. 

  2362. 			}
    2363. 

  2363. 			match, err := mfa.ValidateTOTPPasscode(user.Filters.TOTPConfig.ConfigName, answers[0],
    2364. 

  2364. 				user.Filters.TOTPConfig.Secret.GetPayload())
    2365. 

  2365. 			if !match || err != nil {
    2366. 

  2366. 				providerLog(logger.LevelInfo, "keyboard interactive auth error: unable to validate passcode for user %#v, match? %v, err: %v",
    2367. 

  2367. 					user.Username, match, err)
    2368. 

  2368. 				return answers, errors.New("unable to validate TOTP passcode")
    2369. 

  2369. 			}
    2370. 

  2370. 		} else {
    2371. 

  2371. 			_, err = checkUserAndPass(user, answers[0], ip, protocol)
    2372. 

  2372. 			providerLog(logger.LevelInfo, "interactive auth hook requested password validation for user %#v, validation error: %v",
    2373. 

  2373. 				user.Username, err)
    2374. 

  2374. 			if err != nil {
    2375. 

  2375. 				return answers, err
    2376. 

  2376. 			}
    2377. 

  2377. 		}
    2378. 

  2378. 		answers[0] = "OK"
    2379. 

  2379. 	}
    2380. 

  2380. 	return answers, err
    2381. 

  2381. }
    2382. 

  2382. 

  2383. func handleProgramInteractiveQuestions(client ssh.KeyboardInteractiveChallenge, response *plugin.KeyboardAuthResponse,
    2384. 

  2384. 	user *User, stdin io.WriteCloser, ip, protocol string,
    2385. 

  2385. ) error {
    2386. 

  2386. 	answers, err := getKeyboardInteractiveAnswers(client, response, user, ip, protocol)
    2387. 

  2387. 	if err != nil {
    2388. 

  2388. 		return err
    2389. 

  2389. 	}
    2390. 

  2390. 	for _, answer := range answers {
    2391. 

  2391. 		if runtime.GOOS == "windows" {
    2392. 

  2392. 			answer += "\r"
    2393. 

  2393. 		}
    2394. 

  2394. 		answer += "\n"
    2395. 

  2395. 		_, err = stdin.Write([]byte(answer))
    2396. 

  2396. 		if err != nil {
    2397. 

  2397. 			providerLog(logger.LevelError, "unable to write client answer to keyboard interactive program: %v", err)
    2398. 

  2398. 			return err
    2399. 

  2399. 		}
    2400. 

  2400. 	}
    2401. 

  2401. 	return nil
    2402. 

  2402. }
    2403. 

  2403. 

  2404. func executeKeyboardInteractiveProgram(user *User, authHook string, client ssh.KeyboardInteractiveChallenge, ip, protocol string) (int, error) {
    2405. 

  2405. 	authResult := 0
    2406. 

  2406. 	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
    2407. 

  2407. 	defer cancel()
    2408. 

  2408. 	cmd := exec.CommandContext(ctx, authHook)
    2409. 

  2409. 	cmd.Env = append(os.Environ(),
    2410. 

  2410. 		fmt.Sprintf("SFTPGO_AUTHD_USERNAME=%v", user.Username),
    2411. 

  2411. 		fmt.Sprintf("SFTPGO_AUTHD_IP=%v", ip),
    2412. 

  2412. 		fmt.Sprintf("SFTPGO_AUTHD_PASSWORD=%v", user.Password))
    2413. 

  2413. 	stdout, err := cmd.StdoutPipe()
    2414. 

  2414. 	if err != nil {
    2415. 

  2415. 		return authResult, err
    2416. 

  2416. 	}
    2417. 

  2417. 	stdin, err := cmd.StdinPipe()
    2418. 

  2418. 	if err != nil {
    2419. 

  2419. 		return authResult, err
    2420. 

  2420. 	}
    2421. 

  2421. 	err = cmd.Start()
    2422. 

  2422. 	if err != nil {
    2423. 

  2423. 		return authResult, err
    2424. 

  2424. 	}
    2425. 

  2425. 	var once sync.Once
    2426. 

  2426. 	scanner := bufio.NewScanner(stdout)
    2427. 

  2427. 	for scanner.Scan() {
    2428. 

  2428. 		var response plugin.KeyboardAuthResponse
    2429. 

  2429. 		err = json.Unmarshal(scanner.Bytes(), &response)
    2430. 

  2430. 		if err != nil {
    2431. 

  2431. 			providerLog(logger.LevelInfo, "interactive auth error parsing response: %v", err)
    2432. 

  2432. 			once.Do(func() { terminateInteractiveAuthProgram(cmd, false) })
    2433. 

  2433. 			break
    2434. 

  2434. 		}
    2435. 

  2435. 		if response.AuthResult != 0 {
    2436. 

  2436. 			authResult = response.AuthResult
    2437. 

  2437. 			break
    2438. 

  2438. 		}
    2439. 

  2439. 		if err = response.Validate(); err != nil {
    2440. 

  2440. 			providerLog(logger.LevelInfo, "invalid response from keyboard interactive program: %v", err)
    2441. 

  2441. 			once.Do(func() { terminateInteractiveAuthProgram(cmd, false) })
    2442. 

  2442. 			break
    2443. 

  2443. 		}
    2444. 

  2444. 		go func() {
    2445. 

  2445. 			err := handleProgramInteractiveQuestions(client, &response, user, stdin, ip, protocol)
    2446. 

  2446. 			if err != nil {
    2447. 

  2447. 				once.Do(func() { terminateInteractiveAuthProgram(cmd, false) })
    2448. 

  2448. 			}
    2449. 

  2449. 		}()
    2450. 

  2450. 	}
    2451. 

  2451. 	stdin.Close()
    2452. 

  2452. 	once.Do(func() { terminateInteractiveAuthProgram(cmd, true) })
    2453. 

  2453. 	go func() {
    2454. 

  2454. 		_, err := cmd.Process.Wait()
    2455. 

  2455. 		if err != nil {
    2456. 

  2456. 			providerLog(logger.LevelWarn, "error waiting for #%v process to exit: %v", authHook, err)
    2457. 

  2457. 		}
    2458. 

  2458. 	}()
    2459. 

  2459. 

  2460. 	return authResult, err
    2461. 

  2461. }
    2462. 

  2462. 

  2463. func doKeyboardInteractiveAuth(user *User, authHook string, client ssh.KeyboardInteractiveChallenge, ip, protocol string) (User, error) {
    2464. 

  2464. 	var authResult int
    2465. 

  2465. 	var err error
    2466. 

  2466. 	if plugin.Handler.HasAuthScope(plugin.AuthScopeKeyboardInteractive) {
    2467. 

  2467. 		authResult, err = executeKeyboardInteractivePlugin(user, client, ip, protocol)
    2468. 

  2468. 	} else if authHook != "" {
    2469. 

  2469. 		if strings.HasPrefix(authHook, "http") {
    2470. 

  2470. 			authResult, err = executeKeyboardInteractiveHTTPHook(user, authHook, client, ip, protocol)
    2471. 

  2471. 		} else {
    2472. 

  2472. 			authResult, err = executeKeyboardInteractiveProgram(user, authHook, client, ip, protocol)
    2473. 

  2473. 		}
    2474. 

  2474. 	} else {
    2475. 

  2475. 		authResult, err = doBuiltinKeyboardInteractiveAuth(user, client, ip, protocol)
    2476. 

  2476. 	}
    2477. 

  2477. 	if err != nil {
    2478. 

  2478. 		return *user, err
    2479. 

  2479. 	}
    2480. 

  2480. 	if authResult != 1 {
    2481. 

  2481. 		return *user, fmt.Errorf("keyboard interactive auth failed, result: %v", authResult)
    2482. 

  2482. 	}
    2483. 

  2483. 	err = user.CheckLoginConditions()
    2484. 

  2484. 	if err != nil {
    2485. 

  2485. 		return *user, err
    2486. 

  2486. 	}
    2487. 

  2487. 	return *user, nil
    2488. 

  2488. }
    2489. 

  2489. 

  2490. func isCheckPasswordHookDefined(protocol string) bool {
    2491. 

  2491. 	if config.CheckPasswordHook == "" {
    2492. 

  2492. 		return false
    2493. 

  2493. 	}
    2494. 

  2494. 	if config.CheckPasswordScope == 0 {
    2495. 

  2495. 		return true
    2496. 

  2496. 	}
    2497. 

  2497. 	switch protocol {
    2498. 

  2498. 	case protocolSSH:
    2499. 

  2499. 		return config.CheckPasswordScope&1 != 0
    2500. 

  2500. 	case protocolFTP:
    2501. 

  2501. 		return config.CheckPasswordScope&2 != 0
    2502. 

  2502. 	case protocolWebDAV:
    2503. 

  2503. 		return config.CheckPasswordScope&4 != 0
    2504. 

  2504. 	default:
    2505. 

  2505. 		return false
    2506. 

  2506. 	}
    2507. 

  2507. }
    2508. 

  2508. 

  2509. func getPasswordHookResponse(username, password, ip, protocol string) ([]byte, error) {
    2510. 

  2510. 	if strings.HasPrefix(config.CheckPasswordHook, "http") {
    2511. 

  2511. 		var result []byte
    2512. 

  2512. 		req := checkPasswordRequest{
    2513. 

  2513. 			Username: username,
    2514. 

  2514. 			Password: password,
    2515. 

  2515. 			IP:       ip,
    2516. 

  2516. 			Protocol: protocol,
    2517. 

  2517. 		}
    2518. 

  2518. 		reqAsJSON, err := json.Marshal(req)
    2519. 

  2519. 		if err != nil {
    2520. 

  2520. 			return result, err
    2521. 

  2521. 		}
    2522. 

  2522. 		resp, err := httpclient.Post(config.CheckPasswordHook, "application/json", bytes.NewBuffer(reqAsJSON))
    2523. 

  2523. 		if err != nil {
    2524. 

  2524. 			providerLog(logger.LevelWarn, "error getting check password hook response: %v", err)
    2525. 

  2525. 			return result, err
    2526. 

  2526. 		}
    2527. 

  2527. 		defer resp.Body.Close()
    2528. 

  2528. 		if resp.StatusCode != http.StatusOK {
    2529. 

  2529. 			return result, fmt.Errorf("wrong http status code from chek password hook: %v, expected 200", resp.StatusCode)
    2530. 

  2530. 		}
    2531. 

  2531. 		return io.ReadAll(io.LimitReader(resp.Body, maxHookResponseSize))
    2532. 

  2532. 	}
    2533. 

  2533. 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
    2534. 

  2534. 	defer cancel()
    2535. 

  2535. 	cmd := exec.CommandContext(ctx, config.CheckPasswordHook)
    2536. 

  2536. 	cmd.Env = append(os.Environ(),
    2537. 

  2537. 		fmt.Sprintf("SFTPGO_AUTHD_USERNAME=%v", username),
    2538. 

  2538. 		fmt.Sprintf("SFTPGO_AUTHD_PASSWORD=%v", password),
    2539. 

  2539. 		fmt.Sprintf("SFTPGO_AUTHD_IP=%v", ip),
    2540. 

  2540. 		fmt.Sprintf("SFTPGO_AUTHD_PROTOCOL=%v", protocol),
    2541. 

  2541. 	)
    2542. 

  2542. 	return cmd.Output()
    2543. 

  2543. }
    2544. 

  2544. 

  2545. func executeCheckPasswordHook(username, password, ip, protocol string) (checkPasswordResponse, error) {
    2546. 

  2546. 	var response checkPasswordResponse
    2547. 

  2547. 

  2548. 	if !isCheckPasswordHookDefined(protocol) {
    2549. 

  2549. 		response.Status = -1
    2550. 

  2550. 		return response, nil
    2551. 

  2551. 	}
    2552. 

  2552. 

  2553. 	startTime := time.Now()
    2554. 

  2554. 	out, err := getPasswordHookResponse(username, password, ip, protocol)
    2555. 

  2555. 	providerLog(logger.LevelDebug, "check password hook executed, error: %v, elapsed: %v", err, time.Since(startTime))
    2556. 

  2556. 	if err != nil {
    2557. 

  2557. 		return response, err
    2558. 

  2558. 	}
    2559. 

  2559. 	err = json.Unmarshal(out, &response)
    2560. 

  2560. 	return response, err
    2561. 

  2561. }
    2562. 

  2562. 

  2563. func getPreLoginHookResponse(loginMethod, ip, protocol string, userAsJSON []byte) ([]byte, error) {
    2564. 

  2564. 	if strings.HasPrefix(config.PreLoginHook, "http") {
    2565. 

  2565. 		var url *url.URL
    2566. 

  2566. 		var result []byte
    2567. 

  2567. 		url, err := url.Parse(config.PreLoginHook)
    2568. 

  2568. 		if err != nil {
    2569. 

  2569. 			providerLog(logger.LevelWarn, "invalid url for pre-login hook %#v, error: %v", config.PreLoginHook, err)
    2570. 

  2570. 			return result, err
    2571. 

  2571. 		}
    2572. 

  2572. 		q := url.Query()
    2573. 

  2573. 		q.Add("login_method", loginMethod)
    2574. 

  2574. 		q.Add("ip", ip)
    2575. 

  2575. 		q.Add("protocol", protocol)
    2576. 

  2576. 		url.RawQuery = q.Encode()
    2577. 

  2577. 

  2578. 		resp, err := httpclient.Post(url.String(), "application/json", bytes.NewBuffer(userAsJSON))
    2579. 

  2579. 		if err != nil {
    2580. 

  2580. 			providerLog(logger.LevelWarn, "error getting pre-login hook response: %v", err)
    2581. 

  2581. 			return result, err
    2582. 

  2582. 		}
    2583. 

  2583. 		defer resp.Body.Close()
    2584. 

  2584. 		if resp.StatusCode == http.StatusNoContent {
    2585. 

  2585. 			return result, nil
    2586. 

  2586. 		}
    2587. 

  2587. 		if resp.StatusCode != http.StatusOK {
    2588. 

  2588. 			return result, fmt.Errorf("wrong pre-login hook http status code: %v, expected 200", resp.StatusCode)
    2589. 

  2589. 		}
    2590. 

  2590. 		return io.ReadAll(io.LimitReader(resp.Body, maxHookResponseSize))
    2591. 

  2591. 	}
    2592. 

  2592. 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
    2593. 

  2593. 	defer cancel()
    2594. 

  2594. 	cmd := exec.CommandContext(ctx, config.PreLoginHook)
    2595. 

  2595. 	cmd.Env = append(os.Environ(),
    2596. 

  2596. 		fmt.Sprintf("SFTPGO_LOGIND_USER=%v", string(userAsJSON)),
    2597. 

  2597. 		fmt.Sprintf("SFTPGO_LOGIND_METHOD=%v", loginMethod),
    2598. 

  2598. 		fmt.Sprintf("SFTPGO_LOGIND_IP=%v", ip),
    2599. 

  2599. 		fmt.Sprintf("SFTPGO_LOGIND_PROTOCOL=%v", protocol),
    2600. 

  2600. 	)
    2601. 

  2601. 	return cmd.Output()
    2602. 

  2602. }
    2603. 

  2603. 

  2604. func executePreLoginHook(username, loginMethod, ip, protocol string) (User, error) {
    2605. 

  2605. 	u, userAsJSON, err := getUserAndJSONForHook(username)
    2606. 

  2606. 	if err != nil {
    2607. 

  2607. 		return u, err
    2608. 

  2608. 	}
    2609. 

  2609. 	if u.Filters.Hooks.PreLoginDisabled {
    2610. 

  2610. 		return u, nil
    2611. 

  2611. 	}
    2612. 

  2612. 	startTime := time.Now()
    2613. 

  2613. 	out, err := getPreLoginHookResponse(loginMethod, ip, protocol, userAsJSON)
    2614. 

  2614. 	if err != nil {
    2615. 

  2615. 		return u, fmt.Errorf("pre-login hook error: %v, username %#v, ip %v, protocol %v elapsed %v",
    2616. 

  2616. 			err, username, ip, protocol, time.Since(startTime))
    2617. 

  2617. 	}
    2618. 

  2618. 	providerLog(logger.LevelDebug, "pre-login hook completed, elapsed: %v", time.Since(startTime))
    2619. 

  2619. 	if util.IsByteArrayEmpty(out) {
    2620. 

  2620. 		providerLog(logger.LevelDebug, "empty response from pre-login hook, no modification requested for user %#v id: %v",
    2621. 

  2621. 			username, u.ID)
    2622. 

  2622. 		if u.ID == 0 {
    2623. 

  2623. 			return u, util.NewRecordNotFoundError(fmt.Sprintf("username %#v does not exist", username))
    2624. 

  2624. 		}
    2625. 

  2625. 		return u, nil
    2626. 

  2626. 	}
    2627. 

  2627. 

  2628. 	userID := u.ID
    2629. 

  2629. 	userPwd := u.Password
    2630. 

  2630. 	userUsedQuotaSize := u.UsedQuotaSize
    2631. 

  2631. 	userUsedQuotaFiles := u.UsedQuotaFiles
    2632. 

  2632. 	userLastQuotaUpdate := u.LastQuotaUpdate
    2633. 

  2633. 	userLastLogin := u.LastLogin
    2634. 

  2634. 	userCreatedAt := u.CreatedAt
    2635. 

  2635. 	err = json.Unmarshal(out, &u)
    2636. 

  2636. 	if err != nil {
    2637. 

  2637. 		return u, fmt.Errorf("invalid pre-login hook response %#v, error: %v", string(out), err)
    2638. 

  2638. 	}
    2639. 

  2639. 	u.ID = userID
    2640. 

  2640. 	u.UsedQuotaSize = userUsedQuotaSize
    2641. 

  2641. 	u.UsedQuotaFiles = userUsedQuotaFiles
    2642. 

  2642. 	u.LastQuotaUpdate = userLastQuotaUpdate
    2643. 

  2643. 	u.LastLogin = userLastLogin
    2644. 

  2644. 	u.CreatedAt = userCreatedAt
    2645. 

  2645. 	if userID == 0 {
    2646. 

  2646. 		err = provider.addUser(&u)
    2647. 

  2647. 	} else {
    2648. 

  2648. 		u.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())
    2649. 

  2649. 		err = provider.updateUser(&u)
    2650. 

  2650. 		if err == nil {
    2651. 

  2651. 			webDAVUsersCache.swap(&u)
    2652. 

  2652. 			if u.Password != userPwd {
    2653. 

  2653. 				cachedPasswords.Remove(username)
    2654. 

  2654. 			}
    2655. 

  2655. 		}
    2656. 

  2656. 	}
    2657. 

  2657. 	if err != nil {
    2658. 

  2658. 		return u, err
    2659. 

  2659. 	}
    2660. 

  2660. 	providerLog(logger.LevelDebug, "user %#v added/updated from pre-login hook response, id: %v", username, userID)
    2661. 

  2661. 	if userID == 0 {
    2662. 

  2662. 		return provider.userExists(username)
    2663. 

  2663. 	}
    2664. 

  2664. 	return u, nil
    2665. 

  2665. }
    2666. 

  2666. 

  2667. // ExecutePostLoginHook executes the post login hook if defined
    2668. 

  2668. func ExecutePostLoginHook(user *User, loginMethod, ip, protocol string, err error) {
    2669. 

  2669. 	if config.PostLoginHook == "" {
    2670. 

  2670. 		return
    2671. 

  2671. 	}
    2672. 

  2672. 	if config.PostLoginScope == 1 && err == nil {
    2673. 

  2673. 		return
    2674. 

  2674. 	}
    2675. 

  2675. 	if config.PostLoginScope == 2 && err != nil {
    2676. 

  2676. 		return
    2677. 

  2677. 	}
    2678. 

  2678. 

  2679. 	go func() {
    2680. 

  2680. 		status := "0"
    2681. 

  2681. 		if err == nil {
    2682. 

  2682. 			status = "1"
    2683. 

  2683. 		}
    2684. 

  2684. 

  2685. 		user.PrepareForRendering()
    2686. 

  2686. 		userAsJSON, err := json.Marshal(user)
    2687. 

  2687. 		if err != nil {
    2688. 

  2688. 			providerLog(logger.LevelWarn, "error serializing user in post login hook: %v", err)
    2689. 

  2689. 			return
    2690. 

  2690. 		}
    2691. 

  2691. 		if strings.HasPrefix(config.PostLoginHook, "http") {
    2692. 

  2692. 			var url *url.URL
    2693. 

  2693. 			url, err := url.Parse(config.PostLoginHook)
    2694. 

  2694. 			if err != nil {
    2695. 

  2695. 				providerLog(logger.LevelDebug, "Invalid post-login hook %#v", config.PostLoginHook)
    2696. 

  2696. 				return
    2697. 

  2697. 			}
    2698. 

  2698. 			q := url.Query()
    2699. 

  2699. 			q.Add("login_method", loginMethod)
    2700. 

  2700. 			q.Add("ip", ip)
    2701. 

  2701. 			q.Add("protocol", protocol)
    2702. 

  2702. 			q.Add("status", status)
    2703. 

  2703. 			url.RawQuery = q.Encode()
    2704. 

  2704. 

  2705. 			startTime := time.Now()
    2706. 

  2706. 			respCode := 0
    2707. 

  2707. 			resp, err := httpclient.RetryablePost(url.String(), "application/json", bytes.NewBuffer(userAsJSON))
    2708. 

  2708. 			if err == nil {
    2709. 

  2709. 				respCode = resp.StatusCode
    2710. 

  2710. 				resp.Body.Close()
    2711. 

  2711. 			}
    2712. 

  2712. 			providerLog(logger.LevelDebug, "post login hook executed for user %#v, ip %v, protocol %v, response code: %v, elapsed: %v err: %v",
    2713. 

  2713. 				user.Username, ip, protocol, respCode, time.Since(startTime), err)
    2714. 

  2714. 			return
    2715. 

  2715. 		}
    2716. 

  2716. 		ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
    2717. 

  2717. 		defer cancel()
    2718. 

  2718. 		cmd := exec.CommandContext(ctx, config.PostLoginHook)
    2719. 

  2719. 		cmd.Env = append(os.Environ(),
    2720. 

  2720. 			fmt.Sprintf("SFTPGO_LOGIND_USER=%v", string(userAsJSON)),
    2721. 

  2721. 			fmt.Sprintf("SFTPGO_LOGIND_IP=%v", ip),
    2722. 

  2722. 			fmt.Sprintf("SFTPGO_LOGIND_METHOD=%v", loginMethod),
    2723. 

  2723. 			fmt.Sprintf("SFTPGO_LOGIND_STATUS=%v", status),
    2724. 

  2724. 			fmt.Sprintf("SFTPGO_LOGIND_PROTOCOL=%v", protocol))
    2725. 

  2725. 		startTime := time.Now()
    2726. 

  2726. 		err = cmd.Run()
    2727. 

  2727. 		providerLog(logger.LevelDebug, "post login hook executed for user %#v, ip %v, protocol %v, elapsed %v err: %v",
    2728. 

  2728. 			user.Username, ip, protocol, time.Since(startTime), err)
    2729. 

  2729. 	}()
    2730. 

  2730. }
    2731. 

  2731. 

  2732. func getExternalAuthResponse(username, password, pkey, keyboardInteractive, ip, protocol string, cert *x509.Certificate, userAsJSON []byte) ([]byte, error) {
    2733. 

  2733. 	var tlsCert string
    2734. 

  2734. 	if cert != nil {
    2735. 

  2735. 		var err error
    2736. 

  2736. 		tlsCert, err = util.EncodeTLSCertToPem(cert)
    2737. 

  2737. 		if err != nil {
    2738. 

  2738. 			return nil, err
    2739. 

  2739. 		}
    2740. 

  2740. 	}
    2741. 

  2741. 	if strings.HasPrefix(config.ExternalAuthHook, "http") {
    2742. 

  2742. 		var result []byte
    2743. 

  2743. 		authRequest := make(map[string]string)
    2744. 

  2744. 		authRequest["username"] = username
    2745. 

  2745. 		authRequest["ip"] = ip
    2746. 

  2746. 		authRequest["password"] = password
    2747. 

  2747. 		authRequest["public_key"] = pkey
    2748. 

  2748. 		authRequest["protocol"] = protocol
    2749. 

  2749. 		authRequest["keyboard_interactive"] = keyboardInteractive
    2750. 

  2750. 		authRequest["tls_cert"] = tlsCert
    2751. 

  2751. 		if len(userAsJSON) > 0 {
    2752. 

  2752. 			authRequest["user"] = string(userAsJSON)
    2753. 

  2753. 		}
    2754. 

  2754. 		authRequestAsJSON, err := json.Marshal(authRequest)
    2755. 

  2755. 		if err != nil {
    2756. 

  2756. 			providerLog(logger.LevelWarn, "error serializing external auth request: %v", err)
    2757. 

  2757. 			return result, err
    2758. 

  2758. 		}
    2759. 

  2759. 		resp, err := httpclient.Post(config.ExternalAuthHook, "application/json", bytes.NewBuffer(authRequestAsJSON))
    2760. 

  2760. 		if err != nil {
    2761. 

  2761. 			providerLog(logger.LevelWarn, "error getting external auth hook HTTP response: %v", err)
    2762. 

  2762. 			return result, err
    2763. 

  2763. 		}
    2764. 

  2764. 		defer resp.Body.Close()
    2765. 

  2765. 		providerLog(logger.LevelDebug, "external auth hook executed, response code: %v", resp.StatusCode)
    2766. 

  2766. 		if resp.StatusCode != http.StatusOK {
    2767. 

  2767. 			return result, fmt.Errorf("wrong external auth http status code: %v, expected 200", resp.StatusCode)
    2768. 

  2768. 		}
    2769. 

  2769. 

  2770. 		return io.ReadAll(io.LimitReader(resp.Body, maxHookResponseSize))
    2771. 

  2771. 	}
    2772. 

  2772. 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
    2773. 

  2773. 	defer cancel()
    2774. 

  2774. 	cmd := exec.CommandContext(ctx, config.ExternalAuthHook)
    2775. 

  2775. 	cmd.Env = append(os.Environ(),
    2776. 

  2776. 		fmt.Sprintf("SFTPGO_AUTHD_USERNAME=%v", username),
    2777. 

  2777. 		fmt.Sprintf("SFTPGO_AUTHD_USER=%v", string(userAsJSON)),
    2778. 

  2778. 		fmt.Sprintf("SFTPGO_AUTHD_IP=%v", ip),
    2779. 

  2779. 		fmt.Sprintf("SFTPGO_AUTHD_PASSWORD=%v", password),
    2780. 

  2780. 		fmt.Sprintf("SFTPGO_AUTHD_PUBLIC_KEY=%v", pkey),
    2781. 

  2781. 		fmt.Sprintf("SFTPGO_AUTHD_PROTOCOL=%v", protocol),
    2782. 

  2782. 		fmt.Sprintf("SFTPGO_AUTHD_TLS_CERT=%v", strings.ReplaceAll(tlsCert, "\n", "\\n")),
    2783. 

  2783. 		fmt.Sprintf("SFTPGO_AUTHD_KEYBOARD_INTERACTIVE=%v", keyboardInteractive))
    2784. 

  2784. 	return cmd.Output()
    2785. 

  2785. }
    2786. 

  2786. 

  2787. func updateUserFromExtAuthResponse(user *User, password, pkey string) {
    2788. 

  2788. 	if password != "" {
    2789. 

  2789. 		user.Password = password
    2790. 

  2790. 	}
    2791. 

  2791. 	if pkey != "" && !util.IsStringPrefixInSlice(pkey, user.PublicKeys) {
    2792. 

  2792. 		user.PublicKeys = append(user.PublicKeys, pkey)
    2793. 

  2793. 	}
    2794. 

  2794. }
    2795. 

  2795. 

  2796. func doExternalAuth(username, password string, pubKey []byte, keyboardInteractive, ip, protocol string, tlsCert *x509.Certificate) (User, error) {
    2797. 

  2797. 	var user User
    2798. 

  2798. 

  2799. 	u, userAsJSON, err := getUserAndJSONForHook(username)
    2800. 

  2800. 	if err != nil {
    2801. 

  2801. 		return user, err
    2802. 

  2802. 	}
    2803. 

  2803. 

  2804. 	if u.Filters.Hooks.ExternalAuthDisabled {
    2805. 

  2805. 		return u, nil
    2806. 

  2806. 	}
    2807. 

  2807. 

  2808. 	pkey, err := util.GetSSHPublicKeyAsString(pubKey)
    2809. 

  2809. 	if err != nil {
    2810. 

  2810. 		return user, err
    2811. 

  2811. 	}
    2812. 

  2812. 

  2813. 	startTime := time.Now()
    2814. 

  2814. 	out, err := getExternalAuthResponse(username, password, pkey, keyboardInteractive, ip, protocol, tlsCert, userAsJSON)
    2815. 

  2815. 	if err != nil {
    2816. 

  2816. 		return user, fmt.Errorf("external auth error for user %#v: %v, elapsed: %v", username, err, time.Since(startTime))
    2817. 

  2817. 	}
    2818. 

  2818. 	providerLog(logger.LevelDebug, "external auth completed for user %#v, elapsed: %v", username, time.Since(startTime))
    2819. 

  2819. 	if util.IsByteArrayEmpty(out) {
    2820. 

  2820. 		providerLog(logger.LevelDebug, "empty response from external hook, no modification requested for user %#v id: %v",
    2821. 

  2821. 			username, u.ID)
    2822. 

  2822. 		if u.ID == 0 {
    2823. 

  2823. 			return u, util.NewRecordNotFoundError(fmt.Sprintf("username %#v does not exist", username))
    2824. 

  2824. 		}
    2825. 

  2825. 		return u, nil
    2826. 

  2826. 	}
    2827. 

  2827. 	err = json.Unmarshal(out, &user)
    2828. 

  2828. 	if err != nil {
    2829. 

  2829. 		return user, fmt.Errorf("invalid external auth response: %v", err)
    2830. 

  2830. 	}
    2831. 

  2831. 	// an empty username means authentication failure
    2832. 

  2832. 	if user.Username == "" {
    2833. 

  2833. 		return user, ErrInvalidCredentials
    2834. 

  2834. 	}
    2835. 

  2835. 	updateUserFromExtAuthResponse(&user, password, pkey)
    2836. 

  2836. 	// some users want to map multiple login usernames with a single SFTPGo account
    2837. 

  2837. 	// for example an SFTP user logins using "user1" or "user2" and the external auth
    2838. 

  2838. 	// returns "user" in both cases, so we use the username returned from
    2839. 

  2839. 	// external auth and not the one used to login
    2840. 

  2840. 	if user.Username != username {
    2841. 

  2841. 		u, err = provider.userExists(user.Username)
    2842. 

  2842. 	}
    2843. 

  2843. 	if u.ID > 0 && err == nil {
    2844. 

  2844. 		user.ID = u.ID
    2845. 

  2845. 		user.UsedQuotaSize = u.UsedQuotaSize
    2846. 

  2846. 		user.UsedQuotaFiles = u.UsedQuotaFiles
    2847. 

  2847. 		user.LastQuotaUpdate = u.LastQuotaUpdate
    2848. 

  2848. 		user.LastLogin = u.LastLogin
    2849. 

  2849. 		user.CreatedAt = u.CreatedAt
    2850. 

  2850. 		user.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())
    2851. 

  2851. 		err = provider.updateUser(&user)
    2852. 

  2852. 		if err == nil {
    2853. 

  2853. 			webDAVUsersCache.swap(&user)
    2854. 

  2854. 			cachedPasswords.Add(user.Username, password)
    2855. 

  2855. 		}
    2856. 

  2856. 		return user, err
    2857. 

  2857. 	}
    2858. 

  2858. 	err = provider.addUser(&user)
    2859. 

  2859. 	if err != nil {
    2860. 

  2860. 		return user, err
    2861. 

  2861. 	}
    2862. 

  2862. 	return provider.userExists(user.Username)
    2863. 

  2863. }
    2864. 

  2864. 

  2865. func doPluginAuth(username, password string, pubKey []byte, ip, protocol string,
    2866. 

  2866. 	tlsCert *x509.Certificate, authScope int,
    2867. 

  2867. ) (User, error) {
    2868. 

  2868. 	var user User
    2869. 

  2869. 

  2870. 	u, userAsJSON, err := getUserAndJSONForHook(username)
    2871. 

  2871. 	if err != nil {
    2872. 

  2872. 		return user, err
    2873. 

  2873. 	}
    2874. 

  2874. 

  2875. 	if u.Filters.Hooks.ExternalAuthDisabled {
    2876. 

  2876. 		return u, nil
    2877. 

  2877. 	}
    2878. 

  2878. 

  2879. 	pkey, err := util.GetSSHPublicKeyAsString(pubKey)
    2880. 

  2880. 	if err != nil {
    2881. 

  2881. 		return user, err
    2882. 

  2882. 	}
    2883. 

  2883. 

  2884. 	startTime := time.Now()
    2885. 

  2885. 

  2886. 	out, err := plugin.Handler.Authenticate(username, password, ip, protocol, pkey, tlsCert, authScope, userAsJSON)
    2887. 

  2887. 	if err != nil {
    2888. 

  2888. 		return user, fmt.Errorf("plugin auth error for user %#v: %v, elapsed: %v, auth scope: %v",
    2889. 

  2889. 			username, err, time.Since(startTime), authScope)
    2890. 

  2890. 	}
    2891. 

  2891. 	providerLog(logger.LevelDebug, "plugin auth completed for user %#v, elapsed: %v,auth scope: %v",
    2892. 

  2892. 		username, time.Since(startTime), authScope)
    2893. 

  2893. 	if util.IsByteArrayEmpty(out) {
    2894. 

  2894. 		providerLog(logger.LevelDebug, "empty response from plugin auth, no modification requested for user %#v id: %v",
    2895. 

  2895. 			username, u.ID)
    2896. 

  2896. 		if u.ID == 0 {
    2897. 

  2897. 			return u, util.NewRecordNotFoundError(fmt.Sprintf("username %#v does not exist", username))
    2898. 

  2898. 		}
    2899. 

  2899. 		return u, nil
    2900. 

  2900. 	}
    2901. 

  2901. 	err = json.Unmarshal(out, &user)
    2902. 

  2902. 	if err != nil {
    2903. 

  2903. 		return user, fmt.Errorf("invalid plugin auth response: %v", err)
    2904. 

  2904. 	}
    2905. 

  2905. 	updateUserFromExtAuthResponse(&user, password, pkey)
    2906. 

  2906. 	if u.ID > 0 {
    2907. 

  2907. 		user.ID = u.ID
    2908. 

  2908. 		user.UsedQuotaSize = u.UsedQuotaSize
    2909. 

  2909. 		user.UsedQuotaFiles = u.UsedQuotaFiles
    2910. 

  2910. 		user.LastQuotaUpdate = u.LastQuotaUpdate
    2911. 

  2911. 		user.LastLogin = u.LastLogin
    2912. 

  2912. 		err = provider.updateUser(&user)
    2913. 

  2913. 		if err == nil {
    2914. 

  2914. 			webDAVUsersCache.swap(&user)
    2915. 

  2915. 			cachedPasswords.Add(user.Username, password)
    2916. 

  2916. 		}
    2917. 

  2917. 		return user, err
    2918. 

  2918. 	}
    2919. 

  2919. 	err = provider.addUser(&user)
    2920. 

  2920. 	if err != nil {
    2921. 

  2921. 		return user, err
    2922. 

  2922. 	}
    2923. 

  2923. 	return provider.userExists(user.Username)
    2924. 

  2924. }
    2925. 

  2925. 

  2926. func getUserAndJSONForHook(username string) (User, []byte, error) {
    2927. 

  2927. 	var userAsJSON []byte
    2928. 

  2928. 	u, err := provider.userExists(username)
    2929. 

  2929. 	if err != nil {
    2930. 

  2930. 		if _, ok := err.(*util.RecordNotFoundError); !ok {
    2931. 

  2931. 			return u, userAsJSON, err
    2932. 

  2932. 		}
    2933. 

  2933. 		u = User{
    2934. 

  2934. 			BaseUser: sdk.BaseUser{
    2935. 

  2935. 				ID:       0,
    2936. 

  2936. 				Username: username,
    2937. 

  2937. 			},
    2938. 

  2938. 		}
    2939. 

  2939. 	}
    2940. 

  2940. 	userAsJSON, err = json.Marshal(u)
    2941. 

  2941. 	if err != nil {
    2942. 

  2942. 		return u, userAsJSON, err
    2943. 

  2943. 	}
    2944. 

  2944. 	return u, userAsJSON, err
    2945. 

  2945. }
    2946. 

  2946. 

  2947. func providerLog(level logger.LogLevel, format string, v ...interface{}) {
    2948. 

  2948. 	logger.Log(level, logSender, "", format, v...)
    2949. 

  2949. }
    2950.