Apq
/
sftpgo
mirror of https://github.com/drakkan/sftpgo.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320
							// Copyright (C) 2019-2022  Nicola Murino
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published
// by the Free Software Foundation, version 3.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program.  If not, see <https://www.gnu.org/licenses/>.

//go:build !noportable
// +build !noportable

package service

import (
	"fmt"
	"math/rand"
	"os"
	"os/signal"
	"strings"
	"syscall"
	"time"

	"github.com/grandcat/zeroconf"
	"github.com/sftpgo/sdk"

	"github.com/drakkan/sftpgo/v2/internal/config"
	"github.com/drakkan/sftpgo/v2/internal/dataprovider"
	"github.com/drakkan/sftpgo/v2/internal/ftpd"
	"github.com/drakkan/sftpgo/v2/internal/kms"
	"github.com/drakkan/sftpgo/v2/internal/logger"
	"github.com/drakkan/sftpgo/v2/internal/sftpd"
	"github.com/drakkan/sftpgo/v2/internal/util"
	"github.com/drakkan/sftpgo/v2/internal/version"
	"github.com/drakkan/sftpgo/v2/internal/webdavd"
)

// StartPortableMode starts the service in portable mode
func (s *Service) StartPortableMode(sftpdPort, ftpPort, webdavPort int, enabledSSHCommands []string, advertiseService,
	advertiseCredentials bool, ftpsCert, ftpsKey, webDavCert, webDavKey string) error {
	if s.PortableMode != 1 {
		return fmt.Errorf("service is not configured for portable mode")
	}
	rand.Seed(time.Now().UnixNano())
	err := config.LoadConfig(s.ConfigDir, s.ConfigFile)
	if err != nil {
		fmt.Printf("error loading configuration file: %v using defaults\n", err)
	}
	kmsConfig := config.GetKMSConfig()
	err = kmsConfig.Initialize()
	if err != nil {
		return err
	}
	printablePassword := s.configurePortableUser()
	dataProviderConf := config.GetProviderConf()
	dataProviderConf.Driver = dataprovider.MemoryDataProviderName
	dataProviderConf.Name = ""
	config.SetProviderConf(dataProviderConf)
	httpdConf := config.GetHTTPDConfig()
	httpdConf.Bindings = nil
	config.SetHTTPDConfig(httpdConf)
	telemetryConf := config.GetTelemetryConfig()
	telemetryConf.BindPort = 0
	config.SetTelemetryConfig(telemetryConf)
	sftpdConf := config.GetSFTPDConfig()
	sftpdConf.MaxAuthTries = 12
	sftpdConf.Bindings = []sftpd.Binding{
		{
			Port: sftpdPort,
		},
	}
	if sftpdPort >= 0 {
		if sftpdPort > 0 {
			sftpdConf.Bindings[0].Port = sftpdPort
		} else {
			// dynamic ports starts from 49152
			sftpdConf.Bindings[0].Port = 49152 + rand.Intn(15000)
		}
		if util.Contains(enabledSSHCommands, "*") {
			sftpdConf.EnabledSSHCommands = sftpd.GetSupportedSSHCommands()
		} else {
			sftpdConf.EnabledSSHCommands = enabledSSHCommands
		}
	}
	config.SetSFTPDConfig(sftpdConf)

	if ftpPort >= 0 {
		ftpConf := config.GetFTPDConfig()
		binding := ftpd.Binding{}
		if ftpPort > 0 {
			binding.Port = ftpPort
		} else {
			binding.Port = 49152 + rand.Intn(15000)
		}
		ftpConf.Bindings = []ftpd.Binding{binding}
		ftpConf.Banner = fmt.Sprintf("SFTPGo portable %v ready", version.Get().Version)
		ftpConf.CertificateFile = ftpsCert
		ftpConf.CertificateKeyFile = ftpsKey
		config.SetFTPDConfig(ftpConf)
	}

	if webdavPort >= 0 {
		webDavConf := config.GetWebDAVDConfig()
		binding := webdavd.Binding{}
		if webdavPort > 0 {
			binding.Port = webdavPort
		} else {
			binding.Port = 49152 + rand.Intn(15000)
		}
		webDavConf.Bindings = []webdavd.Binding{binding}
		webDavConf.CertificateFile = webDavCert
		webDavConf.CertificateKeyFile = webDavKey
		config.SetWebDAVDConfig(webDavConf)
	}

	err = s.Start(true)
	if err != nil {
		return err
	}

	s.advertiseServices(advertiseService, advertiseCredentials)

	logger.InfoToConsole("Portable mode ready, user: %#v, password: %#v, public keys: %v, directory: %#v, "+
		"permissions: %+v, enabled ssh commands: %v file patterns filters: %+v %v", s.PortableUser.Username,
		printablePassword, s.PortableUser.PublicKeys, s.getPortableDirToServe(), s.PortableUser.Permissions,
		sftpdConf.EnabledSSHCommands, s.PortableUser.Filters.FilePatterns, s.getServiceOptionalInfoString())
	return nil
}

func (s *Service) getServiceOptionalInfoString() string {
	var info strings.Builder
	if config.GetSFTPDConfig().Bindings[0].IsValid() {
		info.WriteString(fmt.Sprintf("SFTP port: %v ", config.GetSFTPDConfig().Bindings[0].Port))
	}
	if config.GetFTPDConfig().Bindings[0].IsValid() {
		info.WriteString(fmt.Sprintf("FTP port: %v ", config.GetFTPDConfig().Bindings[0].Port))
	}
	if config.GetWebDAVDConfig().Bindings[0].IsValid() {
		scheme := "http"
		if config.GetWebDAVDConfig().CertificateFile != "" && config.GetWebDAVDConfig().CertificateKeyFile != "" {
			scheme = "https"
		}
		info.WriteString(fmt.Sprintf("WebDAV URL: %v://<your IP>:%v/", scheme, config.GetWebDAVDConfig().Bindings[0].Port))
	}
	return info.String()
}

func (s *Service) advertiseServices(advertiseService, advertiseCredentials bool) {
	var mDNSServiceSFTP *zeroconf.Server
	var mDNSServiceFTP *zeroconf.Server
	var mDNSServiceDAV *zeroconf.Server
	var err error

	if advertiseService {
		meta := []string{
			fmt.Sprintf("version=%v", version.Get().Version),
		}
		if advertiseCredentials {
			logger.InfoToConsole("Advertising credentials via multicast DNS")
			meta = append(meta, fmt.Sprintf("user=%v", s.PortableUser.Username))
			if len(s.PortableUser.Password) > 0 {
				meta = append(meta, fmt.Sprintf("password=%v", s.PortableUser.Password))
			} else {
				logger.InfoToConsole("Unable to advertise key based credentials via multicast DNS, we don't have the private key")
			}
		}
		sftpdConf := config.GetSFTPDConfig()
		if sftpdConf.Bindings[0].IsValid() {
			mDNSServiceSFTP, err = zeroconf.Register(
				fmt.Sprintf("SFTPGo portable %v", sftpdConf.Bindings[0].Port), // service instance name
				"_sftp-ssh._tcp",           // service type and protocol
				"local.",                   // service domain
				sftpdConf.Bindings[0].Port, // service port
				meta,                       // service metadata
				nil,                        // register on all network interfaces
			)
			if err != nil {
				mDNSServiceSFTP = nil
				logger.WarnToConsole("Unable to advertise SFTP service via multicast DNS: %v", err)
			} else {
				logger.InfoToConsole("SFTP service advertised via multicast DNS")
			}
		}
		ftpdConf := config.GetFTPDConfig()
		if ftpdConf.Bindings[0].IsValid() {
			port := ftpdConf.Bindings[0].Port
			mDNSServiceFTP, err = zeroconf.Register(
				fmt.Sprintf("SFTPGo portable %v", port),
				"_ftp._tcp",
				"local.",
				port,
				meta,
				nil,
			)
			if err != nil {
				mDNSServiceFTP = nil
				logger.WarnToConsole("Unable to advertise FTP service via multicast DNS: %v", err)
			} else {
				logger.InfoToConsole("FTP service advertised via multicast DNS")
			}
		}
		webdavConf := config.GetWebDAVDConfig()
		if webdavConf.Bindings[0].IsValid() {
			mDNSServiceDAV, err = zeroconf.Register(
				fmt.Sprintf("SFTPGo portable %v", webdavConf.Bindings[0].Port),
				"_http._tcp",
				"local.",
				webdavConf.Bindings[0].Port,
				meta,
				nil,
			)
			if err != nil {
				mDNSServiceDAV = nil
				logger.WarnToConsole("Unable to advertise WebDAV service via multicast DNS: %v", err)
			} else {
				logger.InfoToConsole("WebDAV service advertised via multicast DNS")
			}
		}
	}
	sig := make(chan os.Signal, 1)
	signal.Notify(sig, os.Interrupt, syscall.SIGTERM)
	go func() {
		<-sig
		if mDNSServiceSFTP != nil {
			logger.InfoToConsole("unregistering multicast DNS SFTP service")
			mDNSServiceSFTP.Shutdown()
		}
		if mDNSServiceFTP != nil {
			logger.InfoToConsole("unregistering multicast DNS FTP service")
			mDNSServiceFTP.Shutdown()
		}
		if mDNSServiceDAV != nil {
			logger.InfoToConsole("unregistering multicast DNS WebDAV service")
			mDNSServiceDAV.Shutdown()
		}
		s.Stop()
	}()
}

func (s *Service) getPortableDirToServe() string {
	switch s.PortableUser.FsConfig.Provider {
	case sdk.S3FilesystemProvider:
		return s.PortableUser.FsConfig.S3Config.KeyPrefix
	case sdk.GCSFilesystemProvider:
		return s.PortableUser.FsConfig.GCSConfig.KeyPrefix
	case sdk.AzureBlobFilesystemProvider:
		return s.PortableUser.FsConfig.AzBlobConfig.KeyPrefix
	case sdk.SFTPFilesystemProvider:
		return s.PortableUser.FsConfig.SFTPConfig.Prefix
	case sdk.HTTPFilesystemProvider:
		return "/"
	default:
		return s.PortableUser.HomeDir
	}
}

// configures the portable user and return the printable password if any
func (s *Service) configurePortableUser() string {
	if s.PortableUser.Username == "" {
		s.PortableUser.Username = "user"
	}
	printablePassword := ""
	if s.PortableUser.Password != "" {
		printablePassword = "[redacted]"
	}
	if len(s.PortableUser.PublicKeys) == 0 && s.PortableUser.Password == "" {
		var b strings.Builder
		for i := 0; i < 8; i++ {
			b.WriteRune(chars[rand.Intn(len(chars))])
		}
		s.PortableUser.Password = b.String()
		printablePassword = s.PortableUser.Password
	}
	s.configurePortableSecrets()
	return printablePassword
}

func (s *Service) configurePortableSecrets() {
	// we created the user before to initialize the KMS so we need to create the secret here
	switch s.PortableUser.FsConfig.Provider {
	case sdk.S3FilesystemProvider:
		payload := s.PortableUser.FsConfig.S3Config.AccessSecret.GetPayload()
		s.PortableUser.FsConfig.S3Config.AccessSecret = getSecretFromString(payload)
	case sdk.GCSFilesystemProvider:
		payload := s.PortableUser.FsConfig.GCSConfig.Credentials.GetPayload()
		s.PortableUser.FsConfig.GCSConfig.Credentials = getSecretFromString(payload)
	case sdk.AzureBlobFilesystemProvider:
		payload := s.PortableUser.FsConfig.AzBlobConfig.AccountKey.GetPayload()
		s.PortableUser.FsConfig.AzBlobConfig.AccountKey = getSecretFromString(payload)
		payload = s.PortableUser.FsConfig.AzBlobConfig.SASURL.GetPayload()
		s.PortableUser.FsConfig.AzBlobConfig.SASURL = getSecretFromString(payload)
	case sdk.CryptedFilesystemProvider:
		payload := s.PortableUser.FsConfig.CryptConfig.Passphrase.GetPayload()
		s.PortableUser.FsConfig.CryptConfig.Passphrase = getSecretFromString(payload)
	case sdk.SFTPFilesystemProvider:
		payload := s.PortableUser.FsConfig.SFTPConfig.Password.GetPayload()
		s.PortableUser.FsConfig.SFTPConfig.Password = getSecretFromString(payload)
		payload = s.PortableUser.FsConfig.SFTPConfig.PrivateKey.GetPayload()
		s.PortableUser.FsConfig.SFTPConfig.PrivateKey = getSecretFromString(payload)
		payload = s.PortableUser.FsConfig.SFTPConfig.KeyPassphrase.GetPayload()
		s.PortableUser.FsConfig.SFTPConfig.KeyPassphrase = getSecretFromString(payload)
	case sdk.HTTPFilesystemProvider:
		payload := s.PortableUser.FsConfig.HTTPConfig.Password.GetPayload()
		s.PortableUser.FsConfig.HTTPConfig.Password = getSecretFromString(payload)
		payload = s.PortableUser.FsConfig.HTTPConfig.APIKey.GetPayload()
		s.PortableUser.FsConfig.HTTPConfig.APIKey = getSecretFromString(payload)
	}
}

func getSecretFromString(payload string) *kms.Secret {
	if payload != "" {
		return kms.NewPlainSecret(payload)
	}
	return kms.NewEmptySecret()
}